Getting Started With The HIPAA Security Rule

/

Believe it or not, there are still covered entities and business associates who have not even started a serious HIPAA Security Rule compliance program within their organization. If you're one of them, it's past time to get started. Here are some practical steps to get you out of gate and moving forward.

If you previously thought the HIPAA Security Rule was just making sure you have network passwords, antivirus, a decent data backup and doing something called a "risk analysis", but are now coming to realize (with a bit of a sinking feeling) that it's a significant component of HIPAA, then welcome aboard, friend.  It doesn't get better until you grab the bull by the horns.  So grab a pair of gloves, cowboy, and let's get started!

Read the HIPAA Security Rule

It may seem rudimentary, but many people who are responsible for complying with the Security Rule haven't even read it!  Now, really, how can you comply with something when you don't even know what's in it? (There's a Nancy Pelosi joke in there somewhere, but I digress.) It's not terribly long, so it won't take you days to get through it. You will, however, likely need to read it several times.  Here's a link to the text of the security rule - HIPAA Security Rule Text.  You'll find the text related to the Security Rule standards and implementation specifications on pages 732-743.

[You should also read pages 696-718 which cover things like investigations, compliance reviews, complaints, civil money penalties, procedures for hearings, etc.  This latter part is mind numbing government-speak, but it's stuff you need to know.]

A great resource is the Security Series which was published by the Center for Medicare and Medicaid Services several years ago.  There are seven main papers in the series and there are two additional appendices that cover the topics of Risk Analysis and Remote Use in more detail.  Here's a link to where you can find these on the HHS website - Security Series. You can also find this and more on our Resources page.

Establish a HIPAA Team

Don't tackle this alone.  Pick 2-3 additional people from your staff and build your internal HIPAA Compliance Team.  If you haven't already done so, designate (in writing) one person as the HIPAA Security Official.  Think this one through.  This will be the person who will have the official responsibility of making sure your organization is complying with the Security Rule.  Empower them with the authority to make it a reality…not just a meaningless paper title. 

Bring this team up to speed on where you stand (the best you can tell) and what your goals are and what your projected challenges are.  Be straight up about how serious this is and what the priority will be.

Risk Analysis

Assuming you're not even out of the gate, do a risk analysis.  Ok, easier said than done, right?  So what is a risk analysis and how do you do one?  According to HHS, a good place to start is to read NIST Publication 800-30.  You'll find a wealth of good info in here, but remember, even though HHS recommends this document as a resource, it is not a requirement to follow it verbatim.  It's just a good resource to get you pointed in the right direction. That said, they recommended it for a reason.

In a nutshell, a risk analysis is the process of identifying (1) all of your ePHI, (2) what weaknesses (vulnerabilities) there are, (3) what threats exist, (4) the likelihood that a particular threat will exploit a particular vulnerability (a risk), and (5) what the impact would likely be if it happened.  It can be a long list.  Then you take that list and rank the risks by likelihood and impact.  Next, you will find and note possible solutions to reduce or eliminate the risks that are most probable and/or impacting.  You may (and probably should) have multiple solutions for each, ranging in cost and complexity.

Bear in mind as you are analyzing the risks that threaten the security of your ePHI, that security has three distinct components - confidentiality, availability and integrity. Many people tend to focus only on the confidentiality and forget to think about what could prevent the ePHI from being available to the people who actually need access to it, or what could damage the integrity of the data making it inaccurate, unreliable or destroyed. All three areas of security should be addressed in your risk analysis.

Risk Management

Now it's time to take the results of your risk analysis and actually decide what solutions you will implement and when.  Some items could be low hanging fruit and only entail making some minor adjustments to existing systems or business processes.  Other solutions may be significant projects that make take weeks or even months to complete.  That's ok.  It's all part of the process.  Just be sure to document what you're doing and why!  If you end up making changes along the way, document those changes and your reasoning why.

Continue this process until you have exhausted all of the risks you identified as needing a solution.  Then, rethink it all again.  Did you miss something in the scope of your risk analysis?  Has something about your business changed since your risk analysis was first completed?  You will need to revise and expand your risk analysis over time.  Changes in your environment will also trigger review, revision and expansion of your risk analysis, such as when changing line of business applications, adding/retiring servers, adding WiFi to your office, or relocating to a new building or adding an additional location, etc.  You will want to analyze your risks as early as possible in these situations as it will be easier (and cheaper!) to address issues before the changes take place rather than afterwards.

Policies and Procedures

Risk Analysis and Risk Management are just two implementation specifications under the first standard of the HIPAA Security Rule. There are 22 standards and 42 implementation specifications. That may sound like a lot, but you will find that you can comply with some of these with relative ease. Others will indeed take some effort, but it is most difficult when initially complying because you are building your compliance program. Maintaining compliance is much easier, but you must be diligent to not let things slide out of compliance.

Your Security Official and compliance team will need to address each of the 22 standards and related implementation specifications with written policies and/or procedures. Assigning your Security Official, properly, is actually one of the standards. Boom! Only 21 to go. Now that you have the right person in charge of your Security Rule compliance, it's just a matter of addressing each standard, and any related implementation specifications, with an appropriate policy and/or procedure that is real.

What I mean by real, is that it must be your policy. You, and everyone in your organization, must completely buy-in to your policies and procedures. If not, don't bother. It may arguably be better not have policies and procedures than to have them and not follow them. Another caution is the temptation to use templates. While they can help you get started, be very careful not to allow the template to dictate the spirit of your policies. If you do, you probably won't follow them.

Be sure to track any revisions to your policies and ensure that your workforce has access to and understands how to carry our the policies and procedures that apply to their job roles.

Summary

The steps above are certainly not an exhaustive list, but will get you started down the right path. Your risk analysis will provide a tremendous amount of information and some of that will help you to make many of the decisions that will come as you begin to address each standard and implementation specification with policies and procedures. As you build your policies and procedures, you will most likely uncover areas where you will need to revise or expand your risk analysis.

As you go through the process, you will become more comfortable with the language and intent of the Security Rule and how it applies uniquely to your organization. Above all, be mindful to document your work, your decisions, and your actions in order to build what we call your history of compliance. When the day comes that you will need to demonstrate your compliance, you'll be glad you did.

Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.