HIPAA Administrative Safeguards

Assigned Security Responsibility – CFR § 164.308(a)(2)

The first thing that needs to be addressed in any application of the Administrative Safeguards is that someone needs to be put in charge. The person holding this responsibility must be named and all personnel must know who that person is.

Security Management Process – CFR § 164.308(a)(1)

The security management process of the HIPAA Security Rule requires that covered entities perform a full risk assessment of the facility and all the digital assets used by the practice. Risks include both technical risks to the infrastructure and the inherent risk to the practice information based on any existing practices and policies established to protect that information. HHS recommends the NIST special publication 800-30 as the basis for guiding the risk assessment. - CFR § 164.308(a)(1)(ii)(A)

From the completed risk assessment, the practice needs to put together a set of policies, procedures, remediation, and controls that mitigate the risks defined in the risk assessment. - CFR § 164.308(a)(1)(ii)(B)

The covered entity must have polices that apply appropriate sanctions against work-force members who fail to comply with the security policies and procedures. - CFR § 164.308(a)(1)(ii)(C)

The policies, procedures, and controls must be reviewed on a regular basis and should be reviewed and update whenever the digital asset landscape changes within the practice. - CFR § 164.308(a)(1)(ii)(D)

Workforce Security – CFR § 164.308(a)(3)

Within a practice environment, staff members that need access to EPHI to carry out their duties must be specifically identified. For each workforce member, or job function, the practice security office (identified in CFR § 164.308(a)(2)) must identify the EPHI that is needed, when it is needed, and make reasonable efforts to control access to the EPHI.

This will also include identification of the computer systems and applications that provide access to the EPHI. Staff members must be allowed only the minimum necessary access to EPHI that is required to do his or her job.

Information Access Management - CFR § 164.308(a)(4)

Restricting access to only those people with a need for access has been a basic tenet of security from long before there were computers or a HIPAA security rule to protect the information stored in them. By implementing this paradigm of “Need to know” in the practice, the risk of inappropriate disclosure, alteration, or destruction of sensitive information is minimized.

The practice must create and maintain specific procedures for granting, changing, and ultimately removing access to systems that process ePHI. These procedures must be documented and consistently followed.

Security Awareness And Training – CFR § 164.308(a)(5)

According to the 2019 Verizon Breach Investigations Report (a well respected report that covers global cybersecurity issues), 94% of all malware was delivered through email. Mostly phishing or spearphising attacks, and all opened by employees who had not been properly trained to ignore or flag them.

To comply with HIPAA regulations, all staff of covered practices must receive proper cyber awareness training. Further, this training must be done on a regular basis. Periodic retraining should be given whenever environmental or operational changes affect the security of ePHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.

The training must include at a minimum:

  1. Ability to recognize and follow procedures for combating malicious software.
  2. Procedures for monitoring log-in attempts and reporting discrepancies.
  3. Procedures for creating, changing, and safeguarding passwords.

Security Incident Procedures – CFR § 164.308(A)(6)

The purpose of contingency planning is to establish procedures strategies for recovering automated systems (and the access to ePHI) should the practice experience an emergency or other disaster, such as a power outage and/or disruption of critical operations.

The Contingency Plan standard requires that covered entities: “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

The Contingency Plan standard includes five implementation specifications.

1. Data Backup Plan - § 164.308(a)(7)(ii)(A)
2. Disaster Recovery Plan - § 164.308(a)(7)(ii)(B)
3. Emergency Mode Operation Plan - § 164.308(a)(7)(ii)(C)
4. Testing And Revision Procedures - § 164.308(a)(7)(ii)(D)
5. Application And Data Criticality Analysis - § 164.308(a)(7)(ii)(E)

Data Backup Plan - § 164.308(a)(7)(ii)(A)

Most practices have some form of backup in place, but to be truly effective, these questions must be answered:

Does the plan include all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used?

Does the backup plan include storage of backups in a safe, secure place? Cloud based backup?

Is the organization’s frequency of backups appropriate for its environment?

Does your backup system keep multiple versions of files and databases? This is one of the best mechanisms to combat Ransomware.

Disaster Recovery Plan - § 164.308(a)(7)(ii)(B)

After a disaster strikes is not the time to figure out what to do about it. All covered entities are required to create and maintain a disaster recovery plan. The plan is required to address protection and restoration of ePHI data.

  1. Does the disaster recovery plan address what ePHI data is to be restored and how that will be accomplished?
  2. Is a copy of the disaster recovery plan readily accessible at more than one location?

Emergency Mode Operation Plan - § 164.308(a)(7)(ii)(C)

Some organizations can operate in an emergency mode in the aftermath of a disaster. Some can’t. The time to decide whether or not to try to operate in an emergency mode is, again, before the disaster.

  1. Will the emergency mode be running on paper or electronic records?
  2. How will the practice balance the need to protect the data with their need to access the data?
  3. What alternative security measures will be required to protect PHI?
  4. Does the emergency mode operation plan include possible manual procedures for security protection that can be implemented as needed?
  5. Does the emergency mode operation plan include telephone numbers and contact names for all persons that must be notified in the event of a disaster, as well as roles and responsibilities of those people involved in the restoration process?

Testing And Revision Procedures - § 164.308(a)(7)(ii)(D)

The HIPAA regulations require that providers implement procedures for periodic testing and revision of contingency plans.

  1. Spend an hour or two with the staff to go through some tabletop exercises to make sure all personnel understand their roles and can respond appropriately.
  2. Go through a restoration exercise for all backed-up data is also crucial. If a system cannot be properly restored though the use of existing backup mechanisms, it is as if there are no backups.
  3. Ensure those responsible for emergency actions have actually performed those actions in a test mode.
  4. Document the results of each and address/correct any problems uncovered by the test.

Application And Data Criticality Analysis - § 164.308(a)(7)(ii)(E)

A prioritized list of specific applications and data will help determine which applications or information systems get restored first and/or which must be available at all times.

Evaluation – CFR § 164.308(a)(8)

The HIPAA Security Rule regulations state:

“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

We at Alaris recommend that practices review and evaluate their security plans at a minimum of an annual basis and whenever new equipment, software, or procedures are implemented.

Business Associate Contracts And Other Arrangements – CFR § 164.308(b)(1)

All practices maintain connections to business associates that perform services for the practice. This HIPAA Security Rules requires that each of these business associates must enter into a contract or other written arrangement that provides satisfactory assurances from the business associate that it will appropriately safeguard EPHI.

Business Associates can include:

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involves access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.