CJ Wolf
Share:
HHS OCR tracks and publicly reports the top five issues in their investigated cases closed with corrective action. Administrative Safeguards have been in the top five identified issues for the last four years of reported data. They were number four on the list for the most recent two years and three for the two years before that.
When many people think of the HIPAA Security Rule (which applies to electronic PHI or e-PHI), they probably think about encryption and other technical safeguards, and they would be right. But what about Administrative Safeguards? What are they, and how do they relate to the HIPAA Security Rule? The Security Rule defines Administrative Safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Administrative Safeguards comprise over half of all the HIPAA Security requirements. They are important. In fact, the administrative safeguards are, in a way, the foundation of a HIPAA Security program.
According to the OCR, the Administrative Safeguards include:
-
- Security Management Process: A covered entity must identify and analyze potential risks to e-PHI. It must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel: A covered entity must designate a security official responsible for developing and implementing its security policies and procedures.
- Information Access Management: Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management: A covered entity must provide appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. · Evaluation: A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
All of these safeguards are essential, but two of the most important are the Security Management Process and Evaluation. That’s why they’re often included in what’s often called a HIPAA Security Risk Analysis or HIPAA Security Risk Assessment and Management Plan.
HIPAA Risk Analysis
A HIPAA Security Risk Analysis specifically assesses compliance with the HIPAA Security Rule. It is akin to a home inspection before a buyer closes the purchase of a home. The home inspection is an overall assessment of the home’s structural stability, electrical systems, plumbing, roof, heating/air conditioning, and even integrity of the home’s foundation. Some items in a home inspection need to be addressed immediately, while others can be planned over weeks or months. Similarly, a HIPAA risk analysis should look at all aspects of the overall HIPAA Security program and identify areas that need immediate improvement while prioritizing corrective action for other identified gaps.
When the OCR performed their nationwide audits in 2016-2017, they identified some severe issues with entities’ performance of a risk analysis. They found that only 31% of covered entities/business associates were substantially fulfilling their regulatory responsibilities to safeguard the e-PHI they hold through risk analysis activities. This means 69% were significantly non-compliant or not compliant at all.
The audits concluded that most entities generally failed to:
-
- Identify and assess the risks to all e-PHI in their possession.
- Develop and implement policies and procedures for conducting a risk analysis.
- Identify threats and vulnerabilities, consider their potential likelihoods and impacts, and rate the risk to e-PHI.
- Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or the occurrence of a significant event.
- Conduct risk analyses consistent with policies and procedures.
Workforce Training: A Vital Administrative Safeguard
Another vital administrative safeguard is workforce training. Many HIPAA Security Officials will tell you that most breaches or other non-compliance with the Security Rule result from human error. In other words, technical safeguards, once implemented, rarely fail. For example, if a laptop is appropriately encrypted, the encryption rarely fails. However, even if an organization has excellent technical safeguards in place, a workforce member could click on a link in a phishing email or allow in some other way a bad actor access to an organization’s IT system. No number of technical safeguards can prevent bad results from human error.
Training employees is usually the best way to address this risk. And training an individual for a few hours upon initial hire isn’t going to be enough. A good practice is to send safe phishing email tests throughout the organization periodically while providing timely feedback to those who fail the test so they can learn, over time, the types of phishing attacks they might see in reality.
Administrative Safeguards as the Foundation of Your HIPAA Security Program View administrative safeguards as the foundation of an organization’s HIPAA Security program. They represent more than half of the HIPAA Security requirements. Before jumping into the Technical or Physical Safeguards, take a thoughtful approach to address the rule’s Administrative Safeguards. Beginning with a HIPAA Security Risk Analysis and subsequent Management Plan is probably the best place to start.
In our other eBriefs on this series, we covered other essential elements of the HIPAA Security Rule. You can download those in the links below.
To download this blog as a PDF, click the button below.
Questions or Comments?