Compliance requirement: Policies AND Continued Risk Assessment, Intro to HHS Risk Assessment Tool
April 29, 2014
I've ordered HIPAA forms from your firm. Does that mean I'm in compliance with HIPAA?
Please let me know.
Dr. P, thank you for the question.Â The answer is yes, and no. If you've ordered our HIPAA compliance documents then you are in compliance with the requirement that you keep written policies and procedures in place to conform to the HIPAA Rules, including the Security Rule governing electronic protected health information [45 C.F.R. 164.306], assuming you have our all-in-one. The "no" part of my answer is because having the forms on file is not enough to be HIPAA compliant; HIPAA compliance requires that your practice is actually following the guidelines, safeguards and training required in your written policies and procedures.
One such requirement under HIPAA is for practices to regularly review the administrative, physical and technical safeguards they have in place to protect the security of electronic protected health information (as required by your Security Policy). On March 28, 2014 the Department of Health and Human Services ("HHS") announced having released a security risk assessment tool to help providers with HIPAA compliance. HHS makes it very clear in its disclaimer that use of the tool is NOT required and does NOT guarantee compliance through use. However, for practices interested, the risk assessment tool offers assessment for:
- Administrative Safeguards [DOCX - 269 KB]
- Technical Safeguards [DOCX - 240 KB]
- Physical Safeguards [DOCX - 225 KB]
The risk assessment tool is intended to assist "health care providers in uncovering potential weaknesses in their security policies, processes and systems... [and] address vulnerabilities, potentially preventing health data breaches or other adverse security events."
An example of how the risk assessment tool works follows the risk assessment tool identifies a potential area of exposure and a standard - for instance in the Physical Safeguards -
Standard Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?
A series short questions if the answer to the Standard is no, including why you do not have an inventory - is it cost related, practice size, complexity or is an alternate solution available? Does the no answer, in your assessment, present a risk to PHI security? If so, how much risk? Once a risk is identified in the risk assessment, the tool provides advice on how to address - in this instance, the following:
Things to Consider to Help Answer the Question:
Identify the areas where your practice has information systems and equipment that create, transmit, or store ePHI. Include all buildings and rooms within it that have data centers, areas where equipment is stored, IT administrative offices, workstation locations, and other sites.
Information systems normally include hardware, software, information, data, applications, and communications.
Possible Threats and Vulnerabilities:
If your practice does not have an inventory, you may not be able to identify all of the workstations, portable devices, or medical devices that collect, use, or store ePHI.
Some potential impacts include:
Examples of Safeguards:
Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.
Have policies and procedures that are designed to control physical access to information systems that have ePHI, including facilities and rooms within them where your information systems are located. [45 CFR Â§164.310(a)(1)]
Identify all facility locations that your practice owns, rents, or occupies, where ePHI is collected, created, processed, or stored so that your practice can:
Establish physical access control procedures to:
Establish physical access authorization procedures to:
Establish policy and procedures to control access to ePHI data by output devices such as printers, fax machines, and copiers in order to prevent unauthorized individuals from obtaining the output.
[NIST SP 800-53 PE-5]
And once complete, the tool moves on the the next topic.Â As you may have already guessed reading through the recommended steps for the Standard example above related to inventory, much of the advice in the risk assessment tool is repetitive and makes reference to your written procedures. However, use of the tool may prove beneficial, especially for tech reliant and mid to larger size practices. In utilizing, you may find it beneficial to engage your attorney or an outside expert to assist in your risk assessment and thereafter customizing your policies and procedures.
For assistance with risk assessment or policies and procedures, feel free to contact Jennifer by email or at 516 747 6700 x. 302. We are happy to work with you, and we do charge a flat rate for the analysis and remediation plans (price varies depending on practice size and location).
Brought to you by: Jennifer Kirschenbaum, Esq., Kirschenbaum & Kirschenbaum, P.C.
Contact Jennifer at Jennifer@Kirschenbaumesq.com or at (516) 747-6700 x. 302.
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com