Getting Started with the HIPAA Security Rule

Author: Phil Cooper

Download this article as a PDF

So… you’re looking at the HIPAA Security Rule and thinking, “This has been around since 2005!?”. Yep, it sure has. It just hasn’t been enforced until recently (you can thank ARRA & HITECH for that). But don’t fret, you can do this. You should do this… in fact, it’s actually pretty good stuff.

If you previously thought the HIPAA Security Rule was just making sure you have network passwords, anti-virus, a decent data backup and doing something called a “risk analysis”, but are now coming to realize that it’s a pretty significant component of HIPAA, then welcome aboard friend. It doesn’t get better until you grab the bull by the horns.

Where to Start

Everybody wants a checklist, but compliance is a process. Still, you need a starting point and the following will help do just that:

  1. Read the Security Rule! More than once and get familiar with the language.
  2. Read the Security Series from CMS (Centers for Medicare and Medicaid services). This will really help you understand the meaning and intent behind each standard and implementation specification.
  3. Establish your “HIPAA Security Rule Compliance Team”, including your IT support (even if they are a vendor).
  4. Start with the first standard - Security Management Process [164.308(a)(1)] (Page 737). It’s a big one, including the Risk Analysis, but HHS (Health and Human Services) has said that this one lays the foundation for your security.
  5. Begin writing policies for each standard and implementation specification. You may have more than one policy and/or procedure for some of the citations.
  6. Educate and hold your workforce accountable.

Read the HIPAA Security Rule

It may seem rudimentary, but many people who are responsible for complying with the Security Rule haven’t even read it. Now, really, how can you comply with something when you don’t even know what’s in it? It’s not terribly long, so it won’t take you days to get through it. You will, however, likely need to read it several times. Here’s a link to the text of the security rule - HIPAA Security Rule Text. You’ll find the text related to the Security Rule standards and implementation specifications on pages 732-743.

[You should also read pages 696-718 which cover things like investigations, compliance reviews, complaints, civil money penalties, procedures for hearings, etc. This latter part is mind numbing government-speak, but it’s stuff you need to know.]

A great resource is the Security Series which was published by the Center for Medicare and Medicaid Services several years ago. There are seven main papers in the series and there are two additional appendices that cover the topics of Risk Analysis and Remote Use in more detail. Here’s a link to where you can find these on the HHS website - Security Series.

Establish a HIPAA Team

Don’t tackle this alone. Pick 2-3 additional people from your staff and build your internal HIPAA Compliance Team. If you haven’t already done so, designate (in writing) one person as the HIPAA Security Official. Think this one through. This will be the person who will have the official responsibility of making sure your organization is complying with the Security Rule. Empower them with the authority to make it a reality, not just a meaningless paper title.

Risk Analysis

Assuming you’re not even out of the gate, do a risk analysis. Ok, easier said than done, right? So what is a risk analysis and how do you do one? According to HHS, a good place to start is to read NIST Publication 800-30. You’ll find a wealth of good info here, but remember, even though HHS recommends this document as a resource, it is not a requirement to follow it. It’s just a good resource to get you pointed in the right direction.

In a nutshell, in a risk analysis (or a series of them) you are identifying all of your electronic Protected Health Information (ePHI), what vulnerabilities there are, what threats exist, what is the likelihood that a particular threat will exploit a particular vulnerability (the risk), and what the impact would likely be if it happened. It can be a long list. Then you take that list and rank the risks by impact. Next, you find and note possible solutions to reduce or eliminate the risks that are most probable and/or impacting. You may (and probably should) have multiple solutions for each, ranging in cost and complexity.

Risk Management

Now it’s time to take the results of your risk analysis and actually decide what solutions you will implement and when. Some items could be low hanging fruit and only entail making some minor adjustments to existing systems or business processes. Other solutions may be significant projects that may take weeks or even months to complete. That’s okay. It’s all part of the process. Just be sure to document what you’re doing and why. If you end up making changes along the way, document those changes and your reasoning.

Continue this process until you have exhausted all of the risks you identified as needing a solution. Then, rethink it all again. Did you miss something in the scope of the first risk analysis? Has something about your business changed since the first risk analysis was completed? You may need to go back and perform several smaller, more focused risk analyses. You will also want to do single purpose risk analyses when something changes like changing line of business applications, adding/retiring servers, adding WiFi to your office, or relocating to a new building or adding an additional location, etc. You will want to analyze your risk as early as possible in these situations as it may be easier (and cheaper) to address issues before the changes take place rather than afterwards.

Policies & Procedures

Part of compliance with the Security Rule is writing (and following) policies and procedures for each of the 22 standards and 41 implementation specifications. These are not supposed to be empty platitudes, the result of a half-hearted exercise, that are printed, placed in a three-ring binder and placed on a shelf to collect dust. Nor should they be copies of templates or sample policies you found or bought.

Your policies and procedures should be just that - YOURS. They should seriously define what is important in your organization and how things are to be done. You can start with a template or sample, but you must make it your own by thinking through each topic and how it relates to your operational environment.

Sanction Policy

Once you have your policies, everyone in your organization that touches electronic Protected Health Information (ePHI) in any way should read them, understand them and have ready access to them anytime they are needed. They can’t do that if they are locked up in your office on a bookshelf. If you’re managing your policies and procedures correctly, there will be revisions made from time to time as things change. You should consider how you will ensure your entire staff has the most current versions.

Logic implies that if you have bothered to create the appropriate and required policies and procedures to comply with the Security Rule, then it follows that you need to ensure that your people follow them. But HIPAA didn’t leave that to chance. HIPAA requires that you have a sanction policy to address non-compliant actions and behavior by your staff.

You will need to spell out what will happen if it is discovered that they are not following your policies and/or procedures. You should consider an escalating process of increasing consequences, including termination of employment. The sanction policy should allow for minor unintentional oversights or misunderstandings, while still addressing blatant disregard of company policies. Consequences should take into consideration if the offense resulted in no impact on ePHI, could have resulted in a negative impact on ePHI, and up to the worst case scenario involving breach or loss of ePHI.

Like any good compliance element, you must document any sanctions and actions related to the enforcement of your sanction policy. Consider how will you manage that documentation so that you can demonstrate your compliance if ever asked to do so.

Even if it were not required, you must have an “or else” element to your internal policies, but even better would be to build a culture of awareness and professionalism that includes a healthy perspective and respect for the protection of your ePHI.

Summary

We said to consider establishing a HIPAA compliance team. You can probably see why now. This document has only focused on the first of 22 standards in the Security Rule. It doesn’t need to be overwhelming for you. Just get started and do what you can when you can.

You can do this! Measure your progress as you go. Being able to look up from time to time and see how far you’ve come will give you the strength and energy to push on.

A lot of what I talked about in this article Jeff Franks and I discussed in this video:

Conversation