Risk Analysis for Business Associates
This risk analysis is provided as a review of current processes and as a method to identify potential vulnerabilities to your company’s protection of protected health information (PHI) stored electronically. As a requirement of the Security Rule, this analysis is performed initially and on an annual basis. Additionally if significant changes are made to either the physical or technical environment of your company or your clients, the analysis should be updated to include changes and protections instituted to ensure the security of data accessed, stored or transmitted electronically.
Your HIPAA Compliance Manual includes policies to assist with documentation requirements. Annually you should review all policies to ensure you are in compliance with stated standards for your practice. If policies are not followed as written, revisions should be made to reflect your practice operations. Policies must be enforced for all members of the workforce.
You will need procedures specific to your company to address activities you do for clients and how you do them. Your HIPAA Manual allows you to add those procedures at the end of each section or you may have them in a separate book or both. Additional policies and procedures for compliance with HIPAA Security Regulations in this practice are located: ______
This document is organized into three sections: Administrative, Physical, and Technical safeguards. Under each section you will find the required safeguards or Standards as well as Implementation Specifications. During the analysis you will address activities that are currently in place in your office as well as determine activities which must be implemented or evaluated.
As part of the Security Rule, implementation specifications are designated as required or addressable.
Required - If the specification is marked as Required, the action must be implemented as it is written.
Addressable - If the specification is marked as Addressable, you must assess whether the recommended safeguard to meet the standard is a reasonable and appropriate safeguard in your environment. If you choose not to implement the recommended choices, there must be documentation of the reason why not and equivalent alternative measure you did implement to meet the required standard and why you think this is appropriate.
To begin the process the location of ePHI and the protection used for that data must be identified and documented. An inventory of equipment must be completed as well.
Utilize the following forms: Electronic PHI Location - List the device on which the ePHI is stored or through which it is transmitted. Include types of ePHI provided to Business Associates or accessed on client files. Protection for all types of ePHI must be included on the form. Hardware, Software, and Media Inventory - This inventory will provide a means listing and tracking equipment over time from purchase to destruction. All equipment must be disposed of in an appropriate manner or if the equipment will be reused in some manner, all ePHI must be removed from the equipment or media on which it is stored.
1 ADMINISTRATIVE SAFEGUARDS
Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the business associate or covered entity’s workforce in relation to the protection of that information.
STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS SECURITY MANAGEMENT RISK ANALYSIS - Required Analysis completed by management PROCESS - 164.308(a)(1) 164.308(a)(1)(ii)(A) Analysis completed on systems by IT professionals Implement policies and procedures to Conduct an accurate and thorough assessment of the prevent, detect, contain and correct potential risks and vulnerabilities to the confidentiality, Risks associated with BAs and subcontractors identified security violations. integrity and availability of electronic protected health and addressed with them information held by the covered entity or business Risks associated with clients identified associate. Security Manager named and responsibilities assigned RISK MANAGEMENT - Required 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a) SANCTION POLICY - Required Policy has been documented, includes examples of potential 164.308(a)(1)(ii)(C) violations and can be found in ______. Apply appropriate sanctions against workforce members All members of the workforce have read the policy. who fail to comply with the security and privacy policies and procedures of the covered entity or business associate The sanctions are applied against all workforce members and the terms of the regulations. (including management) for failure to comply with the policies and regulations. INFORMATION SYSTEM ACTIVITY Security incident reports are reviewed to detect individual REVIEW - Required breaches and patterns of incidents that may require additional 164.308(a)(1)(ii)(D) Implement procedures to regularly security measures, system changes and mitigating action. review records of information system activity, such as System audit reports are produced and reviewed. (See Security audit logs, access reports and security incident reports. Plan) System audit reports are currently not used but the practice/company will work with an IT specialist to identify and implement appropriate reports. Target date for implementation: ______.
2 STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS WORKFORCE SECURITY - AUTHORIZATION AND/OR SUPERVISION - Screening procedures for new employees have been 164.308(a)(3)(i) Addressable 164.308(a)(3)(ii)(A) documented and are followed consistently. Implement policies and procedures to Implement procedures for the authorization and/or Employees are aware of chain of command and to whom to ensure that all members of its workforce supervision of workforce members who work with have appropriate access to electronic electronic protected health information or in locations report incidences. protected health information, and to where it might be accessed. Protected Health Information Access Needed by Function prevent those workforce members who do form is complete to outline access levels for personnel. not have access from obtaining access to WORKFORCE CLEARANCE PROCEDURE - All employees have access to all information and the rationale electronic protected health information. Addressable 164.308(a)(3)(B) for this decision has been documented. Implement procedures to determine that the access of a Process is outlined for access for non-employee workers and is workforce member to electronic PHI is appropriate. located ______. The method of granting and controlling access which includes These questions address the clearance process before login and password assignment has been documented and can an employee is hired, the process for assigning be found ______. access levels and action needed upon termination. Examples: Method stored electronically, IT houses process, The size of the workforce will dictate how detailed hard copy of written process. the investigation process for new hires must be. Responsibility for the periodic review of access controls which includes a review of determination of access need has been assigned to ______.
TERMINATION PROCEDURES - Addressable Responsibility for carrying out termination procedures to 164.308(a)(3)(C) remove access privileges when an employee, contractor, or Implement procedures for terminating access to ePHI any other individual with access rights leaves the organization when the employment of, or other arrangement with, a has been assigned to ______. workforce member ends. See YOUR Manual - Security section for actions. Audits and audit reports are used to validate that the procedures are being followed. INFORMATION ACCESS ISOLATING CLEARING HOUSE FUNCTION – This practice does not have a healthcare clearinghouse MANAGEMENT 134.308(a)(4) Required 164.308(a)(4)(ii)(A) function and therefore this requirement is not applicable. If a Implement policies and procedures for clearinghouse is a part of the larger organization the Security granting access to EPHI that are Rule requires policies and procedures controlling access. consistent with the applicable requirements of the Privacy Rule Minimum necessary limitations are a part of policies and (minimum necessary standards). training.
3 STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS SECURITY AWARENESS AND SECURITY REMINDERS - Addressable All members of the workforce, including doctors, and TRAINING 164.308(a)(5) 164.308(a)(5)(ii)(A) management, have been trained on the policies and Implement a security awareness and procedures, the regulations and behaviors to ensure training program for all members of its compliance. workforce including management New employees are provided training. Annual refresher training will be conducted. Security reminders as provided in YOUR Newsletters are distributed to employees or topics are covered in staff meetings. Documentation of review is located ______. Other training methods used (Examples: webinars, seminars, conferences) ______.
MALICIOUS SOFTWARE PROTECTION Virus detection and prevention software is installed on all Addressable 164.308(a)(5)(ii)(B) terminals that have Internet access and/or on all controllers. Procedures for guarding against, detecting and reporting Employees have received training on the policies to provide malicious software. protection from malicious software. Malicious software is any program that harms information Employees instructed on activities to avoid when using systems, such as viruses, Trojan horses, spyware, or business systems. (Examples: uploading or downloading worms. As a result of an unauthorized infiltration, ePHI information such as screen savers or music, social networks, and other data can be damaged or destroyed. personal email), use of personal media & devices LOG-IN MONITORING - Addressable 164.308(a) Log-in attempts are monitored by: (5)(C) Program set to identify multiple unsuccessful log-on attempts. Procedures for monitoring log-in attempts and reporting System locks after _____ unsuccessful log-in tries. Password discrepancies. must be reset. Attempted access by unauthorized users can also be an Log-in attempts recorded in log or audit trail. indication of possible identity theft. Remote log - in is monitored routinely. The planned date of system upgrade to allow log-in monitoring is ______. PASSWORD MANAGEMENT - Addressable Policies and processes are in place that prevents workers from 164.308(a)(5)(ii)(D) sharing passwords. Procedures stored ______Procedures for creating, changing and safeguarding Passwords are changed on a routine basis. passwords. Employees are prompted to change passwords through computer program reminders.
SECURITY INCIDENT RESPONSE AND REPORTING – Required Security events have been defined and documented. See PROCEDURES 164.308(a)(6) 164.308(a)(6)(ii) YOUR Manual - Security Section. Identify and respond to suspected or known security Implement policies and procedures to The YOUR form on security incidents is used. The form address security incidents. incidents; mitigate, to the extent practicable, harmful 4 effects of security incidents that are known to the covered defines the types of incidents and serves as a written record for entity or business associate; and document security each incident. incidents and their outcomes. STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS CONTINGENCY PLAN 164.308(a) DATA BACK-UP PLAN – Required 164.308(a)(7) CE or BA has indentified information which must be backed- (7)(i) (ii)(A) up. Information includes any patient data which is created or Establish (and implement as needed) Establish and implement procedures to create and used electronically, i.e. financial, medical, case management, policies and procedures for responding to maintain retrievable exact copies of electronic protected research, digital recordings or images, diagnostic study results. an emergency or other occurrence that health information. damages systems that contain ePHI. All critical data is backed up daily. Method used to back-up DISATER RECOVERY PLAN – Required data is in the Contingency Plan in the Security Policies section 164.308(a)(7)(ii)(B) of the YOUR Manual. Establish (and implement as needed) procedures to restore Back up media is stored online in a remote location, off site or any loss of data. in a fire proof safe. Back-up tapes are encrypted to reduce risk of breach scenario TESTING AND REVISION PROCEDURES and to protect patient information. Addressable 164.308(a)(7)(ii)(D) A complete disaster recovery plan has been documented and is Implement procedures for periodic testing and revision of contingency plans. reviewed annually. Plan includes: data to be restored, emergency access arrangements, if the building still exists; assigned responsibilities to share the work load with each person knowing their role in advance; vendors and other service providers who will be helpful in recovery; alternate locations; recovery timeframes and priorities. Copy is located off-site. Use Contingency Plan Document Equipment and software lists as well as system owners, primary users and system recovery priority have been documented on the Hardware, Software, and Media Inventory form. Copy of the documentation is stored offsite. Call lists developed and updated routinely, assignments on calling made, and each individual affected has their list. Examples: who will contact patients, who will contact vendors to order replacement equipment? The disaster recovery plan has been tested to include testing of back-up files to ensure data can be installed. Testing could use a scenario-based walk-through or a complete live test. The degree of testing is based on size of practice or company. EMERGENCY MODE OPERATION PLAN An emergency operations plan which addresses short term Required 164.308(a)(7)(ii)(C) interruption to service has been developed and documented. Establish and implement as needed procedures to enable Use Emergency Operations Plan in the Security Policies continuation of critical business processes for protection section of the YOUR manual. of the security of ePHI while operation in emergency mode. Required.
5 STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS EVALUATION 164.308(a)(8) Annual risk analysis is performed and documented. Perform a periodic technical and Facility Audit performed by YOUR on an annual basis. nontechnical evaluation, based initially upon the standards implemented under this Manual audits of compliance are completed using HIPAA rule and subsequently, in response to audit located in YOUR Manual. environmental or operational changes Incident reports are reviewed on an annual basis and when affecting the security of electronic needed to identify outstanding issues. protected health information, that Policy and procedures are reviewed on an annual basis and establishes the extent to which an entity’s or business associate’s security policies compared to current operating standards. Revisions are made and procedures meet the requirements of based on review of audits and policy review. the Security Rule. BUSINESS ASSOCIATES WRITTEN CONTRACT - Required 164.308(b)(3) Business associates and subcontractors have been identified. 164.308(b)(1)) Document the satisfactory assurances required by Clients (CEs) have been identified A covered entity, in accordance with § paragraph b(1) or b(2) of this section through a Updated written contracts have been obtained since 164.306 [the Security Standards: General written contract or other arrangement with the implementation of updated rules affecting BA relationships Rules], may permit a business associate to business associate (or subcontractor) that meets the effective February 2010. (See required inclusions for create, receive, maintain, or transmit applicable requirements of 164.314(a). electronic protected health information on Contracts on the YOUR website and 164.314) the covered entity’s behalf only if the Business associates and subcontractors provide proof of covered entity obtains satisfactory compliance with HIPAA security rules. assurances, that the business associate Copy of polices and procedures will appropriately safeguard the information. Proof of staff training 164.308(b)(2) Employee specific log-in/password policies A business associate may permit a Encryption process used for data stored or in transit business associate that is a subcontractor such as sent via email. to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, that the subcontractor will appropriately safeguard the information.
6 PHYSICAL SAFEGUARDS
Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS FACILITY ACCESS CONTROLS CONTINGENCY OPERATIONS – Critical persons identified for access to restore data listed in 164.310(a)(1)) Addressable 164.310(a)(2)(i) Contingency Plan. Implement policies and procedures to limit Establish (and implement as needed) procedures that Non staff members may be escorted when on premise to physical access to its electronic information allow facility access in support of restoration of lost systems and the facility or facilities in which data under the disaster recovery plan and emergency provide data restoration services. they are housed, while ensuring that properly mode operations plan in the event of an emergency. Additional security of premise to be added if sensitive authorized access is allowed. information cannot be secured by physical means. FACILITY SECURITY PLAN – Addressable A list of all employees with keys or after-hours access is 164.310(a)(2)(ii) maintained by the security officer. Implement policies and procedures to safeguard the Steps in place to secure the physical structure. facility and the equipment therein from unauthorized physical access, tampering and theft. Alarm/security system – Individualized employee access codes for disarming. Locks reinforced – deadbolt Badge entry for authorized personnel Video cameras Security guard present Other ______ Equipment from CEs onsite are locked up or otherwise secured STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS ACCESS CONTOL AND VALIDATION Sign in sheets or visitor badges are provided for visitors for PROCEDURES – Addressable 164.310(a)(2)(iii) larger facilities. Implement procedures to control and validate a person’s Visitors are restricted to certain areas and/or escorted while in access to facilities based on their role or function, including visitor control, and control access to software the office programs for testing and revision Policies on granting temporary physical access to repair personnel have been documented. Portable office equipment, such as laptop computers are assigned to individual employees. Server is located in secured area. Access is limited to authorized personnel only. MAINTENANCE RECORDS - Addressable A record of all repairs and changes to systems and facilities is 164.310(a)(iv) maintained by the security officer or designee. Documentation Implement policies and procedures to document repairs may be a copy of work order or invoice outlining services and modifications to the physical components of a facility completed. which are related to security (hardware, walls, doors, locks). Records are maintained and stored ______.
7 WORKSTATION USE 164.310(c) Software or devices storing ePHI have been identified and Implement policies and procedures that documented on the Electronic PHI Location form. specify the proper functions to be Workstations are used for business purposes. Limited personal performed, the manner in which those functions are to be performed, and the business is allowed and employees are aware of restrictions. physical attributes of the surroundings of a Access from remote locations is not allowed. specific workstation or class of Access from remote locations is limited and performed by workstation that can access electronic authorized personnel only. protected health information. Workstations are located in such a way to prevent accidental WORKSTATION SECURITY viewing or access and are protected by the following 164.310(c) additional measures. Implement physical safeguards for all Password protected screen savers. workstations that access EPHI to restrict Privacy screens on workstations when indicated by access to authorized users. physical location. Systems are locked or the log-out process is in use when workstations are unattended.
STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS DEVICE AND MEDIA DISPOSAL - Required 164.310(d)(1)(i) Unassigned portable equipment, such as laptop computers, is CONTROLS 164.310(d)(1) Implement policies and procedures to address the final logged in/out when removed from the office. The log is Implement policies and procedures that disposition of ePHI and/or the hardware or software maintained by the security officer or designee. govern the receipt and removal of media on which it is stored. Portable devices not owned by the practice/office must meet hardware and electronic media that MEDIA REUSE – Required 164.310(d)(1)(ii) contain ePHI into and out of the facility Implement procedures for removal of ePHI from electronic defined policies for protection of ePHI, destruction of data and the movement within the facility. media before the media are made available for reuse. prior to disposal and reports of loss or theft. Examples include: ACCOUNTABILITY – Addressable 164.310(d)(1) smart phones, diagnostic equipment used through contract (iii) Maintain a record of the movements of hardware and services or by business associates or subcontractors. electronic media and any person responsible therefore. Policies have been documented on how to handle destruction DATA BACKUP AND STORAGE Addressable or disposition of equipment, software and other media to 164.310(d)(2)(iv) ensure ePHI and client data is completely removed. Create a retrievable, exact copy of electronic protected Disposition is logged on the inventory sheet for permanent health information, when needed, before movement of record. equipment. Data is cleansed or equipment is destroyed prior to disposal on all equipment. Prior to moving equipment storing ePHI which is not stored on a network server, an exact copy of information is created. Example: computer hard drive used to store patient records which are not backed up on a daily basis.
8 TECHNICAL SAFEGUARDS The technology and the policy and procedures for its use that protect electronic protected health information and control access to it. STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS ACCESS CONTROL 164.312(a)(1) There is automatic system to system activity. Example: Back Implement technical policies and procedures up process occurs automatically with no human intervention to for electronic information systems that maintain begin the process. Additional investigation and protections ePHI or client data to allow access only to may be required if you checked this item. those persons or software programs that have been granted access rights as specified in the No automatic system to system connections occur where data Security Rule. from one system is used by another system without human intervention to make it happen. Wireless networks are used but secured and validation/audit reports are used to control and monitor access. Wireless systems available to public is on a separate device or system from PHI records. Programs or systems storing ePHI can be accessed only through an authentication process which is accomplished through a log-in and confidential password system. UNIQUE USER IDENTIFICATION - Each member of the workforce of the CE or BA who is Required 164.312 (2)(i) allowed access has a unique access code. Assign a unique name and/or number for identifying ePHI and client data on portable PCs, smart phones or other and tracking user identification. portable devices is protected by access code. Each Business Associate, subcontractor or vendor who is allowed access has a unique code and is limited in the data they may access. Vendor or subcontractor is required to have some means of identifying the individual using the code. Secure access system.
STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS EMERGENCY ACCESS PROCEDURE – Contingency program provides for emergency access Required 164.312 (2)(ii) The following persons will need access to ePHI during an Establish and implement as needed procedures for emergency situation: obtaining necessary ePHI during an emergency Administrator situation. Security officer IT support Doctors/Managers Other: ______
AUTOMATIC LOGOFF – Addressable The system will log a user off after ______minutes of
9 164.312 (2)(iii) inactivity. Implement electronic procedures that terminate an Automatic logoff feature is activated on all workstations. electronic session after a predetermined time of inactivity. Screensaver that is password protected activated after ______minutes of inactivity. ENCRYPTION AND DECRYPTION - Back-up tapes are encrypted. Addressable 164.312 (2)(iv) ePHI moved from one location to another, for example from Implement a mechanism to encrypt and decrypt ePHI. one satellite to another, is encrypted on the storage device used. Data stored or leaving the office in electronic ePHI moved from one location to another, for example from format will need to be encrypted to avoid patient one satellite to another, is NOT encrypted on the storage notification if the device is ever inappropriately device used. The following measures are followed for accessed, lost, missing or stolen. Access to protection: information which is not encrypted will be Device transported in locked container and/or stored in considered a breach and must be reported to the trunk of the vehicle. Vehicle must not stop in impacted patients, HHS, and in some cases the transport local media. Device is not left unattended. Mobile device is logged in and out to document safety of ePHI. ePHI stored on other devices such as flash/thumb drives, smart phones, lap tops, and hard drives are encrypted. Information stored on server is encrypted. Information stored on server is not encrypted. Additional measures have been implemented to protect information. Server room is locked at all times with access allowed by authorized personnel only. Proprietary software in use. Sensitive PHI is not sent by email unless encrypted or deidentified Secure websites used AUDIT CONTROLS 164.312(b) Audits are routinely performed. Change reports are produced and reviewed periodically. See Security Section of YOUR Implement hardware, software, and/or Manual for complete list. procedural mechanisms that record and Audits are reviewed for trends by security officer or designee examine activity in information systems that contain or use electronic protected information. routinely. Sanctions and additional education provided based on audit results. System to system transfers have audit processes that verify accuracy of items sent and caught, financial balances, etc. See list of system audits performed provided by IT professional
10 STANDARD IMPLEMENTATION SPECIFICATIONS DESCRIPTION OF ACTIONS INTEGRITY 164.312(c)(1) To prevent unauthorized alteration/access to data, this office uses: Individual access controls Implement policies and procedures to protect Virus protection software ePHI from improper alteration or destruction. System firewalls Audit reports and reviews System programs to authenticate data Practice will work with an IT specialist to identify and implement appropriate protection. Target date for implementation: ______.
MECHANISM TO AUTHENTICATE ePHI Electronic signatures are utilized for authentication of entries. Addressable 164.312(c)(2) Periodic audits of user activity are performed which will Implement electronic mechanisms to corroborate that include data change reports to verify legitimacy of the change ePHI has not been altered or destroyed in an unauthorized manner. and the entity making the change. IT support will be contacted to evaluate system capabilities for electronic authentication such as error-correcting memory, check sum technology. PERSON OR ENTITY Individual passwords and log-in utilized for employees. AUTHENTICATION 164.312(d) Combination of FOB or some other token and password Implement policies and procedures to verify utilized. that a person or entity seeking access to ePHI is Secure portal in place for patient access with unique log-in and the one claimed. password utilized. TRANMISSION SECURITY 164.312(e) Types of electronic transmission have been listed using the (1) Electronic PHI Location form. Security measures provided by IT professional. See list Implement technical security measures to guard against unauthorized access to ePHI or client data that is being transmitted over an electronic communications network INTEGRITY CONTROLS - Addressable Transmission of ePHI is protected utilizing. 164.312(e)(2)(i) Network firewalls Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without VPN technology detection until disposed of. Secure portal Encryption ENCRYPTION - Addressable 164.312(e)(2) (ii)Implement a mechanism to encrypt ePHI whenever Other deemed appropriate. Exceptions to encryption are recorded on the Electronic PHI Location form.
11 Red Flags Rule
This office does not order any credit bureau reports or communicate regularly with any credit bureau. This office does communicate with the credit bureau. This office offers a payment plan for individual clients for products purchased. Patient Identification
All new clients are identified. Client identification is copied and added to the file. Client identification is recorded. Risks if a HIPAA Privacy or Security Violation Occurs
HIPAA regulations require documentation of risks and threats the company might be exposed to and the probability these might occur to determine the degree of protections necessary. Reputation - If information from your company is compromised the consequences can range from loss of client trust to loss of client business. As a business associate you can endanger the reputation of clients. Financial - If system records are lost and unrecoverable you may be unable to obtain payment for services rendered. Disclosures resulting in fines or law suits will have a negative impact on the financial stability of the company and possibly clients. Patients - Patients’ lives or health dependent on access to accurate medical information. Depending on type of patients cared for by clients and the type of data that might be compromised or lost, negative outcomes may occur when access to medical information is not available. Systems – Hardware and software may be lost or destroyed which will impact the delivery of patient care by clients and can endanger the company financials. Threats to Security that May Occur Natural disasters - Fire, flood, tornado, and hurricane. Natural disaster may occur in any environment. Medium probability this might occur in any region. Theft – Loss of equipment or information due to theft either from outside or internal sources is a significant risk. Estimated that 30% of portable devices are lost or stolen each year. Probability medium to high. Employee intentional use or disclosure of information – While the intent may not be intentional, the company will be required to mitigate any inappropriate use of disclosure which may mean contacting clients, patient, HHS, and potentially the local media. Probability is medium to high. Employee unintentional use or disclosure of information – Accidental access or changes to information can occur. Education and tracking will reduce the likelihood of inappropriate access. Probability is medium to high. Business Associates improper use or disclosure of information – As with company risk it may be a result of lack of controls or training. Probability is medium to high depending on the BA. External compromise of a system - From hackers or viruses. Probability is medium. Financial Identity Theft - Theft of data by external parties or employees. Probability medium to high System to system compromises - System that automatically accesses an office system to retrieve data to perform a function; risk of inappropriate access to ePHI. Probability low to medium.
12 13 ANNUAL RISK ANALYSIS UPDATE
Complete this page on an annual basis and add it to the file. If security incidents or other events dictate increased security precautions and policies, document the actions taken.
Security incidents at the company Review the report of any security incidents of which you are aware occurring in the past 12 months. List number and type of incidents below. ______
Action Taken to Prevent or Correct Issues List corrective actions implemented to prevent reoccurrences of the incidents or to help you react in a timelier manner? Attach additional document if necessary. ______
Changes in the technological environment, size or other events in the last year that may dictate a change in the overall security practices needed in the company.
Clients moving to electronic patient records. Opened a new location. Numbers of workforce members and/or clients grew substantially. New management systems installed
Additions/Changes to the Security Precautions and Policies in the last year ______
14 Completed By ______Date ______
HIPAA Officer(s) ______
YOUR Consultant ______
Action Items
Complete/validate Hardware, Software, Media Inventory
Complete/update Location of ePHI form
Develop/complete Contingency Plan
Ensure back-up tapes are encrypted
Ensure back-up tapes have been tested and can restore lost data
1. ______
2. ______
3. ______
4. ______
5. ______
6. ______
7. ______
8. ______
9. ______
10. ______
15 IT Action Items
System capabilities Automatic logoff System reminder to change password System authentication of data change such as error-correcting memory or check sum technology Automatic system to system activity. Example: Back up process occurs automatically
with no human intervention to begin the process. What protections are in place to protect access or transfer of information. Data validation to ensure accuracy Log in to identify BA employee signing in Security review and documentation for HIPAA compliance and breach prevention
System capabilities - Audits Exception reports – remote access, excessive print, excessive record access Data change reports Employee access reports Data validation checks Random log-in audit. Example – Is an employee logged in while they are on
vacation?
ePHI Transmission is protected how? VPN technology Secure portal Encryption Other
Encryption Server Laptops PDA Back-up tapes Thumb drives Email Smart phones
Contracts Business Associate
16 Clients
17