HIPAA Risk Analysis and Compliance Testing
What is HIPPA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information (PHI and e-PHI). To fulfill this requirement, HHS published what is commonly known as the Standards for Privacy of Individually Identifiable Health Information, establishing national standards for the protection of certain health information. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “protected health information” (PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and substantial civil money penalties.
Who Are Covered Entities?
- Medical Facilities
- Any organization that collects or transmits Personal Health Information
Risk Analysis and Management
- The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. Don L. Hubbard and Associates risk/management analysis assists in determining which security measures are reasonable and appropriate for a particular covered entity. Risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
- A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to PHI
- Implement appropriate security measures to address the risks identified in the risk analysis
- Document the chosen security measures and, where required, the rationale for adopting those measures
- Maintain continuous, reasonable, and appropriate security protections
- Provide continuous on site spot inspections to insure compliance and reevaluate the effectiveness of security measures put in place
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to PHI and e-PHI and detect security incidents.