HIPAA Security and the Administrative Safeguards—Part 1
August 2003 Issue
In the last article, we divided the Security Rule standards into four categories: administrative safeguards, physical safeguards, technical safeguards, and organizational safeguards. We then listed all the standards and their implementation specifications, identifying whether they were required or addressable.
In this article we will cover the first administrative safeguard standard in detail and how it will affect your O&P organization.
Security Management Process Standard
The Security Management Process Standard establishes a formal security management process that includes the creation, administration, and oversight of policies to address the full range of security issues and to ensure the prevention, detection, containment, and correction of security violations. Implementation features include: 1) risk analysis, 2) risk management, 3) sanction policy, and 4) information system activity review.
1) Risk Analysis (Required)
Implementation specification: Your organization must conduct an accurate and thorough assessment--risk analysis--of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (PHI).
What it means to your organization: Your organization needs to identify potential risks to electronic PHI, determine whether appropriate security measures have been or need to be taken, and what the "relevant losses" would be if security measures were not in place. Risks would include items such as unauthorized uses and disclosures and loss of data integrity. The risk analysis will help form the foundation upon which your security activities are built, so your analysis should include all of the other Security standards implementations and their potential risks. This will help ensure your organization's compliance with the standards. The risk analysis must be documented, retained for six years, and should be periodically reassessed and updated as needed.
2) Risk Management (Required)
Implementation specification: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
What it means to your organization: Your organization will need to plan for and manage the implementation and maintenance of security measures identified in the risk analysis. Although a formal plan is not required, just documentation of your security implementations, I believe it is a basic element that will help your organization with the implementation of the Security standards. Your organization should document and retain your risk management plan or your security implementation documents.
3) Sanction Policy (Required)
Implementation specification: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
What it means to your organization: Your organization will need to create a sanction policy for the Security standards. These sanctions can be combined with the Privacy Rule sanctions. As with the Privacy Rule the type and severity of the sanctions imposed, and for what causes, are determined by your organization. Again it is mandatory that this policy be documented, retained for six years, and should be periodically reassessed and updated as needed.
4) Information System Activity Review (Required)
Implementation specification: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident-tracking reports.
What it means to your organization: Your organization will need to document what and how often electronic PHI records are reviewed to ensure there has been no security incidents that warrant attention. If you are a smaller organization and you don't currently have access to reports or audit logs, you may want to ask your software vendor to provide these reports for you. Your access reports should also take into consideration security measures implemented to limit the access of a workforce member to electronic PHI. The procedures developed for this implementation need to be documented, retained for six years, and should be periodically reassessed and updated as needed.
Other HIPAA Security Rule articles can be found in the Related
Articles section below.
The article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.