Site icon

The HIPAA Security Rule and Risk Management

HIPAA featured

Sign displaying Hipaa, Business idea Acronym stands for Health Insurance Portability Accountability Typing Daily Reminder Notes, Creating Online Writing Presentation

The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law. 

What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches. 

Here, we will discuss how risk plays a role in the rule of HIPAA law. 

What Is the HIPAA Security Rule?

HIPAA regulations are built around specific “rules,” each of which provides some sort of language, guidance or requirements for how Covered Entities (C.E.s) and Business Associates (B.A.s) protect patient data. Under HIPAA, these responsibilities include hospitals, doctor’s offices, healthcare clearinghouses, insurance companies and any associated service provider managing patient information for these parties. 

The second major rule within HIPAA, and perhaps most focused on protecting patient information, is the Security Rule. More specifically, the Security rule protects electronic Protected Health Information (ePHI) created, processed, transmitted or stored by C.E.s and B.A.s in healthcare. 

Under the Security Rule, these organizations must take specific steps to protect patient information, including:

It’s important to note that the Security Rule does not explicitly dictate any security technologies or practices that an organization should enact. Instead, it directs the organizations to consider:

The reasoning provided by the regulations is that C.E.s and B.A.s are diverse, complexity and ability to marshal resources. Following this, the logic is that these organizations are best positioned to determine their own security needs. 

A secondary reason is that threats and vulnerabilities evolve so fast that specifying concrete security technologies or encryption algorithms can cause the regulation to run one step behind attackers in the outside world eternally.

 

How Does the Security Rule Define Risk Management?

With the loose and self-assessed aspects of the Security Rule front and center, it makes sense that it also discusses risk management. 

In its broadest sense, the discipline of risk management allows organizations to recognize critical security gaps in their practices and infrastructure and how those gaps render their organization vulnerable to attack. Additionally, risk management also provides a framework for IT and business decision-makers in your organization to best measure those vulnerability risks against compliance, operational and financial goals. 

Perhaps most importantly, risk management is an important step in gaining comprehensive knowledge about your IT systems and how to align them with the previously-stated goals. 

Under the “Administrative Safeguards” provision of HIPAA and the security rule, C.E.s and B.A.s must perform risk analysis that includes the following aspects:

Much like the security requirements stated (or left unstated), risk management approaches are equally vague and open-ended. However, you can get some insight by referring to the associated regulatory document, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” also known as NIST Special Publication 800-66 into this level of risk assessment. 

Long story short, NIST 800-66 refers organizations to the NIST Risk Management Framework (RMF) as a model for pursuing risk as an approach to security. While the entirety of the RMF is beyond the scope of this article, it suffices to say that there are several steps recommended by RMF documentation under which more specific practices emerge. 

These steps include:

 

Foregrounding Risk with HIPAA Compliance

Working with HIPAA regulations is about just figuring out the right security controls and checking a checklist. Inappropriate implementation of controls can lead to the unauthorized disclosure of ePHI, leading to major fines and lawsuits far beyond the cost of digging into compliance as a cost of doing business. 

One of the best ways to move forward with HIPAA compliance, or cybersecurity, is to consider risk and governance as critical parts of your business. The first step is to work with a provider that foregrounds those concerns. 

Continuum GRC provides a cloud-based, automated visualization tool to help you align governance, risk and compliance into a single stream of control. 

To learn more about GRC and HIPAA, contact us today. 

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version