6 EHR and HIE Security Risk Analysis

Section 6.9 Optimize EHR and HIE Security Risk Assessment

This tool helps you conduct a security risk assessment to help you comply with HIPAA and to reduce your risk of a privacy or security breach.

Time needed: The process of completing a security risk analysis is time-consuming. Depeding on what is in place this process may take weeks to complete Suggested other tools: NA

1. Introduction Compliance with the HIPAA Security Rule has been required of all HIPAA-covered entities (including behavioral health facilities) since April 20, 2005. The Omnibus Rule, which became effective September 23, 2013, holds all business associates of HIPAA-covered entities accountable for complying with the Security Rule as well. This should be addressed in the covered entities’ business associate agreements. Conducting a security risk analysis is one of the requirements of the HIPAA Security Rule. In addition, the HITECH Act of 2009, modified by the Omnibus Rule, requires federal breach notification when the privacy or security of protected health information (PHI) is compromised. Finally, the federal incentive program for meaningful use (MU) of electronic health records (EHRs) requires that a security risk analysis be performed and that all technical security controls specified in HIPAA are in place. The Office of Civil Rights developed a document to help you understand these requirements. Please take time to read it. You can download it here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

2. Covered Entities A covered entity is a health plan, health care clearinghouse (an entity that converts HIPAA transactions such as claims and eligibility inquiries from non-standard to standard formats and vice versa), and health care providers who transmit any health information in electronic form in connection with a HIPAA transaction. Because LPH departments conduct eligibility inquiries to determine if clients are eligible for Medicaid benefits and file claims with Medicaid, they are HIPAA-covered entities.

3. Business Associates HIPAA defines business associate as a person or entity who performs work on behalf of or for a covered entity that requires access to protected health information (PHI). An LPH department will probably have business associates if they use a vendor to acquire, implement, and/or maintain health information technology (HIT). As such, LPH departments are required to have a business associate agreement (BAA) with each of their business associates. The Sample Business Associate Agreement Provisions provided by the U.S. Department of Health and Human Services Office for Civil Rights (the federal agency that enforces the HIPAA Privacy and Security Rules) is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.)

6. Understanding Risk Assessment

Section 6 Optimize—EHR and HIE Security Risk Analysis - 1 Risk assessment is a complex and highly technical discipline. The good news is that there are well written documents that explain the theory and practice of completing a risk assessement. If you want to understand risk assessment, there is no better authority than the National Institute of Standards and Technology (NIST). Follow this link to a very useful overview of risk assessment: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf . The diagram on the following page, from the NIST document sums up the process.

7. Completeing the Risk Assessment

Below, we provide links to various risk assessment tools and resources. We advise taking a look at all of them, before selecting one to use:  HIPAA COW tools: The name is amusing, but the resources available on the site of this Wisconsin-based collaborative are very strong. Follow this link to their Risk Assessment toolkit: http://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit/  The federal government’s comprehensive site features a powerful and user-friendly HIPAA Risk Assessment tool. Follow this link to that tool: http://www.healthit.gov/providers- professionals/security-risk-assessment-tool  In addition to the tool, HealthIT.gov provides a series of informative videos that help you understand important risk assessment topics. Follow this link to the videos: http://www.healthit.gov/providers-professionals/security-risk-assessment-videos

As you complete a Security Risk Analysis or update the one you have, [ay particular attention to new threats and vulnerabilities as you add EHR and health information exchange (HIE) applications. In addition, as a provider of behavioral health services, you will find this specific guidance from the Office of Civil Rights useful: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

9. Data Breach Notification Despite your efforts, it is possible that a data breach may occur within your organization. If this were to happen, you are mandated to report the breach. In addition to HIPAA requirements, the HITECH Act of 2009 (and as modified by the Omnibus Rule) and 44 states have data breach notification requirements. For a copy of the Omnibus Rule, see http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html. The following is a summary of the federal breach discovery and notification process.

2 Minnesota also has a data breach notification law, which although not specifically targeting health information is still relevant. Follow this link for details: https://www.revisor.mn.gov/statutes/? id=325E.61

Note: please consult with your legal council for additional information and assistance with your Security Risk Analysis effort.

Section 6 Optimize—EHR and HIE Security Risk Analysis - 1