How to Establish an Ongoing Security Program and Meet Meaningful Use Requirements for Security Risk Analysis
An SRA brief for Health Centers
In order to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), you need to maintain an ongoing security program. The HIPAA Security Rule mandates security standards to safeguard electronic protected health information (ePHI) maintained by electronic health record (EHR) technology, with detailed attention to how ePHI is stored, accessed, transmitted, and audited. This rule is different from the HIPAA Privacy Rule, which requires safeguards to protect the privacy of protected health information (PHI) and sets limits and conditions on the use and disclosure of PHI.
Meaningful use supports the HIPAA Security Rule. In order to successfully attest in Stage 1, you must conduct a security risk analysis (SRA), implement updates as needed, and correct identified security deficiencies. Stage 2 will include the need to adequately encrypt data. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them. Common security risks in a medical practice include:
- Inadequate protection of workstations (due to sharing of passwords, or the use of out-of-date antivirus software)
- Inadequate protection of data on mobile devices or portable media (such as CDs and USB drives)
- Lack of documented policies and procedures for backing up and recovering data
An ongoing security program addresses administrative, physical, and technical safeguards. A well-implemented program protects the practice from expensive data breaches, and it indirectly protects the reputation of the medical practice.
Actions to Take to Establish a Security Program
The elements of a security program must be understood and applied specifically to the needs of your practice. As described in more detail in later sections of this document, recommended actions include:
- Provide staff training in privacy and security
- Establish policies and procedures for the security program
- Conduct the SRA to identify risks and threats
- Implement risk mitigation strategies to ensure appropriate precautions are in place
- Ensure continuous monitoring of all critical functions
1. Provide Staff Training
Staff training is needed to raise awareness about the necessity of maintaining an ongoing security program. The basic training would include information about topics such as:
- HIPAA Security Rule
- Differences between privacy and security
- Types of ePHI
- Negative effects of security breaches
- Potential security risks in a medical practice
- Components of an SRA
After the SRA is done, training can focus on mitigating risks specific to the practice, either for groups or individual staff members. Training could include topics such as password management, and when and how to encrypt data.
2. Establish Policies and Procedures
Your practice can create a central security policy document and familiarize all employees and contractors with its contents. Policy requirements and restrictions in this document apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, wireless devices, telecommunication, conversations, and any other methods used to convey information across all hardware, software, and data transmission mechanisms. The plan also should include plans for data backup, disaster recovery, and how to authenticate requests for information.
Information security also includes policies for personnel, which can be added to your personnel policies manual. These would define actions and prohibitions that all users must follow, including guidelines for the acceptable use of technology equipment, e-mail, and Internet connections.
Federal regional extension centers (RECs) have policy document examples and templates. The REC that serves your area can help you to develop a detailed security policy that suits your practice’s needs.
3. Conduct Security Risk Analysis
The SRA is a process for reviewing infrastructure and safeguards related to the HIPAA Security Rule. This task may seem daunting, but REC training and SRA tools and checklists are available that can step you through the requirements.
As part of the SRA, you will need to inventory the locations of all servers, computers, storage, and mobile devices, as well as the ePHI data that are stored on each. Collect information about maintenance and service agreements that can be used in the event of theft or destruction of these devices.
4. Implement Mitigation Strategies
A well-done security risk assessment will identify security vulnerabilities. These vulnerabilities must be addressed before the SRA can be considered complete. Practices must document the process and steps taken to mitigate risks in three main areas: administration, physical environment, and technical hardware and software. Safeguards include instituting security reminders, protection from malicious software, encryption procedures, and password management.
After building a program to mitigate risks, the practice should develop an ongoing security awareness program to keep security embedded in the practice's culture. Staff also should get security training when environmental or operational changes affect the security of ePHI. Many medical practices do not have the resources to develop a security awareness training program. RECs can provide tools and training tailored to the risks identified, including scenario-based training in which staff consider how to respond to actual situations.
5. Ensure Continuous Monitoring
A key to a strong security program is regular review of system audit logs to assess whether there have been any instances of unauthorized access or access attempts aimed at patient records. You should ensure that audit controls and the audit trail are activated in your EHR system. You will also want to conduct regular reviews of backup and disaster recovery plans, antivirus and malware protection, and password requirements.
You should set a regular schedule for updating the SRA, such as annually or bi-annually. The process also should be initiated on an as-needed basis—such as after a security incident, turnover in key staff, or the addition of new technology—to ensure that ePHI is appropriately protected.