The Office for Civil Rights (OCR) on Friday issued its first in a series of HITECH-required guidance documents to educate covered entities and business associates (BA) on the best methods to secure electronic protected health information (ePHI).
The first guidance document focuses on risk analysis, a HIPAA Security Rule-required measure for covered entities and now BAs.
"The guidance is an effective primer in that it summarizes basic information about the required risk analysis within the security rule that has existed since the early days of HIPAA," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ. "Key aspects highlighted within the guidance is that the guidance is not a one-size-fits-all blueprint. This is critical to keep in mind because of the diversity of information systems and data handling processes that touch ePHI within the spectrum of organizations where the requirement of a risk analysis applies."
OCR calls risk analysis the "first step" to identify and implement safeguards that comply with and carry out the standards and implementation specifications in the security rule.
"Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect [ePHI]," according to the guidance document.
Here are some of key checklist items of the risk analysis in the security rule, according to OCR in its guidance document:
Scope of the analysis. Includes the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all e-PHI that an organization creates, receives, maintains, or transmits; hard drives, floppy disks, CDs, DVDs, smart cards, or other storage devices, personal digital assistants, transmission media, or portable electronic media.
Data collection. Where is your e-PHI is stored, received, maintained, or transmitted? Review past and/or existing projects; perform interviews; review documentation, etc.
Document potential threats and vulnerabilities. Identify and document reasonably anticipated threats to e-PHI. Identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.
Assess current security measures. Assess and document the security measures you use to safeguard e-PHI, whether security measures required by the security rule are already in place, and if current security measures are configured and used properly.
Determine the likelihood of threat occurrence. Take into account the probability of potential risks to e-PHI. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are "reasonably anticipated."
Ruelas says for the most part, if organizations have been diligent complying with the risk analysis in the security rule, there is really "nothing new."
However, Ruelas hopes entities pay particular attention to OCR's message to document your risk analysis and its words on how often a periodic review of the risk assessment should occur.
OCR says the risk analysis process should be ongoing. For an entity to update and document its security measures "as needed," which the security rule requires, it should conduct continuous risk analysis to identify when updates are needed.
Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.
"In the end, I see this initial guidance as setting a foundation of basic topics regarding the risk analysis process that future guidance documents will expand," Ruelas says. "By reiterating what was already established during the early days of the security rule and bringing it to the forefront, this guidance has helped dust off and put front and center information that was to be applied more than five years ago."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.