HIPAA Security Evaluation: Checking Your Compliance Vital Signs

Checking Your Compliance Vital Signs
In health care, we think of “Vital Signs” as the measurements of body temperature, pulse, respiration rate, and blood pressure. Vital signs provide information about your general health. They offer clues to medical conditions. When you are sick, they are used to help check your return to good health.

In a similar way, HIPAA has “Vital Signs”, although not measurements of body temperature, pulse, respiration rate, and blood pressure. HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with security policy and the security rule requirements. In the case of your HIPAA program, the required periodic evaluation provides information about your organizations compliance health. The evaluation offers clues to the condition of security safeguards. If safeguards are found lacking, the evaluation is used to help check the return to good compliance health. Let’s examine the specific rule:

Evaluation 164.308(a)(8)
HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

Required Standard
HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation (emphasis added) of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. Required standard, means, “a covered entity must implement the implementation specifications”.

Some Thoughts on Conducting an Evaluation

  1. Decide whether the evaluation will be conducted with internal staff resources or external consultants.
  2. Engage external expertise to assist the internal evaluation team where additional skills and expertise is determined to be reasonable and appropriate.
  3. Use internal resources to supplement an external source of help, because these internal resources can provide the best institutional knowledge and history of internal policies and practices.

Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule

  1. Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist.
  2. Implement tools that help document and report on the level of compliance, integration, or maturity of a particular security safeguard deployed to protect EPHI.
  3. If available, consider engaging specific staff or management having responsibilities that include security (for example, billing manager).
  4. Leverage any existing reports or documentation that may already be prepared by the organization addressing compliance, integration, or maturity of a particular security safeguard deployed to protect EPHI.

Conduct Evaluation

  1. Determine, in advance, what departments and/or staff will participate in the evaluation.
  2. Secure management support for the evaluation process ensures participation.
  3. Collect and document all needed information.
  4. Collection methods may include the following: Interviews, surveys, third party examinations
  5. Outputs of automated tools, such as access control auditing tools, system logs, and results of penetration testing.
  6. Conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.

Document Results

  1. Reasonable and appropriate documentation practices will often include:
  2. Analyze the evaluation results.
  3. Identify security weaknesses.
  4. Document in writing every finding and decision.
  5. Develop security program priorities and establish targets for continuous improvement.

Repeat Evaluations Periodically

  1. Establish the frequency of evaluations, taking into account the sensitivity of the EPHI controlled by the organization, its size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements).
  2. In addition to periodic re-evaluations, consider repeating evaluations when environmental and operational changes are made to the organization that affect the security of EPHI (e.g., if new technology is adopted or if there are newly recognized risks to the security of the information).

Conducting your annual security evaluation is an excellent way to insure you have complied with Evaluation Standard 164.308(a)(8) of HIPAA and have documented your organizations HIPAA vital signs.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Why Outsourcing is Healthcare’s Newest Compliance Tool

I recently had the chance to meet with a healthcare organization to discuss the issues facing midsize medical groups. As you might guess, HIPAA compliance made the top ten list.

Here’s what I learned. First, there is general acknowledgement that it takes time to keep current with HIPAA compliance tasks. Second, most administrators (particularly in organizations smaller than a hospital) have added duties of “Compliance Officer” to their already full plate of tasks and finally, compliance officers believe that they do not have the time nor skill sets to meet the objectives of strong privacy and security management.

You can probably see a good news/bad news story developing here! You’re right. Let’s start with the bad news first. HIPAA is not going away and in fact most predict it to follow other regulations (OSHA as an example). Already we are seeing a strengthening of enforcement – read more about  Providence Health & Services loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. http://www.bizjournals.com/portland/stories/2008/07/21/daily9.html

In addition, a Senate bill (called HIPSA) has been introduced to significantly enhance the enforcement of HIPAA, read more at: http://www.bizjournals.com/memphis/stories/2007/10/22/focus4.html?b=1193025600%5E1537387

So what about the good news? Thanks to technology, coupled with experienced compliance specialists, outsourcing a compliance officer may be your newest compliance tool. Here’s how it works – to adequately manage HIPAA compliance, consultants like this author use a comprehensive Web-based program to create, manage and monitor the outsource client. In doing so, it allows the consultant to track all staff, manage polices & procedures and forms, monitor training and conduct a limited number of on-site visits to conduct a periodic gap assessment and report on the client’s compliance status.

The result,  you have a professional compliance officer managing your HIPAA compliance program, reducing administrative costs, increasing ability for the administrator to focus on core business activities and improved compliance excellence.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

HIPAA Security Training: A Flexible Approach

Whether your organization is an insurance company, hospital, clinic, dental group, elder-care facility or anything in between, security awareness and training is required of all members of its workforce (including management).

So how must healthcare organizations plan to meet the Security and Awareness Training Standard? As a first step, I often caution clients to review specific standards and the references made as a part of the standard – for example, §164.308, the Security Awareness and Training Standard must be read in conjunction with § 164.306 Security Standards: General rules, since the General Rules help the organization understand the general intent of the standards and guidance for implementing them. Take a look at the General Rules and see for example the guidance on a “Flexible Approach” -

§ 164.306 Security Standards: General Rules

(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under sub-part E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach. (Emphasis added)
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii)The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv)The probability and criticality of potential risks to electronic protected health information.

As you can see, the General Rules help answer the question…”We are a clinic and cannot afford a large scale training program like a hospital, what can we do?” By reading § 164.306 Security Standards: General Rules, healthcare organizations of any size will realize the “flexibility” built into the regulations are designed to accommodate healthcare operations of any size.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us