In our last post, we discussed the four principal objectives of the Security Rule (§160.306(a)).
We mentioned that although the items enumerated did not appear unreasonable or overly burdensome, the devil was in the details. So here are some of those details.
The Security Rule contains a concept called the "Flexibility Approach;" what others refer to as the Security Rule's guiding principle. In essence, the flexibility principle enumerates four factors that a Business Associate should consider when deciding how to "reasonably and appropriately" implement the standards and implementation specifications.
The four Security Rule Flexibility Factors are as follows:
The size, complexity, and capabilities of the BA.
The BA's technical infrastructure, hardware, and software security capabilities.
The costs of security measures.
The probability and criticality of potential risks to ePHI.
More on the standards and implementation specifications next time.
Five years out from the promulgation of the HITECH Act, and business associates are still struggling with what the Act requires of them under the modified HIPAA regulations. Although under the Omnibus Rule it should be clear that a business associate ("BA") must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule, the requirements of the Security Rule ("SR") bedevil BAs the most.
The SR requires that a BA implement three types of safeguards: (1) administrative, (2) physical, and (3) technical. The principal objectives of the SR, as it pertains to both a Covered Entity and a BA, are as follows (§160.306(a)):
Ensure the confidentiality, integrity, and availability of all its ePHI.
Protect against any reasonably anticipated threats or hazards of its ePHI.
Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule ("PR").
Ensure its workforce complies with the SR.
The items enumerated above do not appear unreasonable or overly burdensome. However, the devil (as always) lies in the details.
Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.
A Risk Assessment is not something that you perform once and then forget. Because the threat landscape changes on a daily basis, it is inconceivable that you could perform a rigorous "full blown" Risk Assessment less than once a year. Further, it is more likely that once a quarter should be what you strive for. Now the HIPAA Rules do not mandate the frequency of Risk Assessments, rather the Rules require that you perform a Risk Assessment whenever your operational environment, or the law, changes in a material way. That said, a couple of points need to be noted: (1) given the amount of change occurring in the healthcare industry (now and in the foreseeable further) operational environments are going to be changing quite often; and (2) if your objective is to manage risk then performing a Risk Assessment only once a yearis simply not a "reasonable and appropriate" thing to do.
Description: This pay to attend live seminar will discuss how to comply with all of HHS' 169 Audit Protocol requirements; covering: (1) the Privacy Rule; (2) the Security Rule; and (3) the Breach Notification Rule.
Friday, October 9, 2015 8:00 AM - 5:00 PM EST (in beautiful Tampa Bay).