In the last article, we divided the Security Rule
standards into four categories: administrative safeguards,
physical safeguards, technical safeguards, and organizational
safeguards. We then listed all the standards and their
implementation specifications, identifying whether they were
required or addressable.
In this article we will cover the first administrative
safeguard standard in detail and how it will affect your O&P
organization.
Security Management Process Standard
The Security Management Process Standard establishes a formal
security management process that includes the creation,
administration, and oversight of policies to address the full range
of security issues and to ensure the prevention, detection,
containment, and correction of security violations. Implementation
features include: 1) risk analysis, 2) risk management, 3) sanction
policy, and 4) information system activity review.
1) Risk Analysis (Required)
Implementation specification: Your organization must
conduct an accurate and thorough assessment–risk analysis–of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health
information (PHI).
What it means to your organization: Your organization
needs to identify potential risks to electronic PHI, determine
whether appropriate security measures have been or need to be
taken, and what the “relevant losses” would be if security measures
were not in place. Risks would include items such as unauthorized
uses and disclosures and loss of data integrity. The risk analysis
will help form the foundation upon which your security activities
are built, so your analysis should include all of the other
Security standards implementations and their potential risks. This
will help ensure your organization’s compliance with the standards.
The risk analysis must be documented, retained for six years, and
should be periodically reassessed and updated as needed.
2) Risk Management (Required)
Implementation specification: Implement security
measures sufficient to reduce risks and vulnerabilities to a
reasonable and appropriate level.
What it means to your organization: Your organization
will need to plan for and manage the implementation and maintenance
of security measures identified in the risk analysis. Although a
formal plan is not required, just documentation of your security
implementations, I believe it is a basic element that will help
your organization with the implementation of the Security
standards. Your organization should document and retain your risk
management plan or your security implementation documents.
3) Sanction Policy (Required)
Implementation specification: Apply appropriate
sanctions against workforce members who fail to comply with the
security policies and procedures of the covered entity.
What it means to your organization: Your organization
will need to create a sanction policy for the Security standards.
These sanctions can be combined with the Privacy Rule sanctions. As
with the Privacy Rule the type and severity of the sanctions
imposed, and for what causes, are determined by your organization.
Again it is mandatory that this policy be documented, retained for
six years, and should be periodically reassessed and updated as
needed.
4) Information System Activity Review (Required)
Implementation specification: Implement procedures to
regularly review records of information system activity, such as
audit logs, access reports, and security incident-tracking
reports.
What it means to your organization: Your organization
will need to document what and how often electronic PHI records are
reviewed to ensure there has been no security incidents that
warrant attention. If you are a smaller organization and you don’t
currently have access to reports or audit logs, you may want to ask
your software vendor to provide these reports for you. Your access
reports should also take into consideration security measures
implemented to limit the access of a workforce member to electronic
PHI. The procedures developed for this implementation need to be
documented, retained for six years, and should be periodically
reassessed and updated as needed.
Other HIPAA Security Rule articles can be found in the Related
Articles section below.
The article is informational only and does not constitute the
rendering of legal, financial, or other professional advice or
recommendations by Provaliant or individual members. If you require
legal advice, you should consult with an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.