HIPAA/HITECH Security Risk Analysis Myths and Facts
As we continue to work with more health care providers, covered entities, and business associates we see confusion about HIPAA/HITECH compliance requirements. Some providers are even in denial. They believe they are being compliant by just having staff take short on-line "HIPAA" training courses. But that falls well short of what is required to be compliant, and many of these on-line training courses are not up to date with current HIPAA regulations, nor do they cover cyber-security, which is now a must have.
The US Department of Health and Human Services published the Guide to Privacy and Security of Health Information, which contains a table of Myths and Facts on page 11. It's worth a read for any health care provider. There are several good pieces of information, but there are three you should make note of and consider.
- Performing a Security Risk Analysis (SRA) is MANDATORY, every health care provider with ePHI must perform a SRA. Often referred to as a Risk Assessment, but MUST have the security part performed.
- You may NOT use a simple checklist to perform your Security Risk Analysis (Risk Assessment).
- The NIST Standard Risk Assessment has over 560 questions.
- Third Rock has reduced this down to a manageable number of 110 questions, but we can still provide you a complete risk assessment and scoring basis.
- If you want your SRA to withstand an audit by the ONC you need a professional third party to perform the SRA for you.
- 3rd parties bring credibility to the process.
What the Myths and Facts table doesn't make clear are all of the requirements in the HIPAA/HITECH law that a provider must complete to be compliant. Third Rock created their comprehensive solution to address all of these requirements. Here's a simple list of those requirements.
- Complete Risk Assessment
- NIST Compliant Questionnaire (550+ questions) tailored to your practice (90 questions) to save time.
- Includes the mandatory Security Risk Analysis
- Complete Risk Assessment score, report and remediation list
- Should be performed by a professional third party.
- Complete network discovery and network scan for compliance issues
- HIPAA requires ALL devices to be inventoried.
- Detailed remediation list created for all non-compliant devices.
- Policies and Procedures
- Documents for each PHI related policy, w/CFR references and step by step procedures for operations to implement the policy.
- Change Management
- Registers to log all changes in operations, security and devices.
- Contingency plan
- You need a plan to keep your business operating during and after disruptive actions (emergencies, disasters, etc).
- Email encryption with recipient verification
- Encryption alone does NOT solve the problem alone -- you must know the correct person received the message.
- Make sure the solution uses the DIRECT protocol.
- Continuous Network Vulnerability and Compliance monitoring
- You need to prevent breaches and know when they occur.
- Third party monitoring keeps your IT department honest.
- HIPAA training: New employees, Refresher, Security Officer
- Specific job responsibility training is required.
- Training must include implementation and enforcement of the policies and procedures.
To learn more about Third Rock's Worry Free Compliance please visit our web site.