SECURITY MANAGEMENT PROCESS (§ 164.308(a)(1))
The 1st standard described within the Administrative Safeguards is the key to all compliance activities required by the HIPAA Security Rule. It is the foundation on which your comprehensive Information Security Policy should be built. I would argue that if you haven’t met this requirement, you’ll fall short on all other standards.
What do I mean by that?
Let’s take a look at the standard & the implementation specifications that make up the Security Management Process:
The standard is this: “Implement policies and procedures to prevent, detect, contain and correct security violations.” Kind of says it all, doesn’t it? The rest of the standards just further define what and how to accomplish this. The first key activity in meeting this requirement is to identify all information systems that house electronic protected health information (EPHI). This inventory should include all hardware and software that is used to collect, store, process or transmit EPHI.
Once you have a list of these systems, you’ll need to Conduct a Risk Assessment (a required implementation specification): “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity”. Analyze each system and determine the potential threats that exist in your environment, and the controls you have in place to reduce the risk of those threats being exercised. A risk assessment should incorporate the following key elements:
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
Once the risk assessment has been completed, you’re ready to Implement a Risk Management Program (a required implementation specification): “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306 (Security Standards – General Rules)”. Based on your risks and vulnerabilities, establish reasonable controls and safeguards to protect EPHI. Document what you currently have in place, but also list desired safeguards that will be implemented in the future when budget and resources allow.
The Sanction Policy
You’ve inventoried your systems, assessed the risks and vulnerabilities that they face, and documented the safeguards to protect them. Now you need to Develop and Implement a Sanction Policy (a required implementation specification): “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity”. This policy will define the consequences employees will face if they don’t adhere to the policies and procedures contained in your information security policies. Your Sanctions Policy will reflect your commitment (and influence that of your workforce) to protecting EPHI. If penalties are weak, compliance will be lacking.
Finally, Develop and Deploy the Information System Activity Review Process (a required implementation specification): “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports”. In order to identify misuse, abuse or fraudulent activity, you’ve got to be looking for it.
This can be one of the most time consuming processes (and I’ll admit, somewhat boring and anything but glamorous), but an important one in monitoring what’s going on with regards to securing EPHI. Routine, scheduled review of activity goes a long way in indentifying issues, and demonstrates your commitment to protecting the confidentiality, integrity and availability of health information.