HIPAA – A Required Security Management Process – 4 Steps Towards Administrative Compliance 

September 27, 2022

The protection of health information has been a national concern for decades. Everyone wants to know that when they see the doctor, go to the hospital, or visit a clinic, the details of that visit will be kept secure. Most individuals would be concerned if their private health records were in the hands of someone other than who they intended. These concerns have spanned into security standards for health information mandated within the Health Insurance Portability and Accountability Act ("HIPAA") of 1996. They have continued to grow and expand their regulatory requirements since the beginning of the 21st century.  

Within HIPAA, organizations that manage Electronic Protected Health Information ("ePHI") are identified as covered entities and business associates ("entities"). The HIPAA security regulations require the entities handling these electronic records to comply with Security Standards 45 CFR § 164.306. The Security Standards (sometimes referred to as the HIPAA Security Rule), contains the following primary components: 

This article is part of Asureti’s HIPAA compliance series and addresses key considerations for the Administrative safeguards. If your organization is a newly covered entity or business associate, it's crucial to understand and complete the HIPAA Security Management Process. Even if your organization has been subject to these regulations for a long time, continuous monitoring and ongoing assessment requirements can take significant time and resources.   

Step 1: HIPAA Security- Risk Analysis  

Covered entities and business associates must ensure they are securing all ePHI created, transmitted, received, maintained, and stored. Outlined within the HIPAA Administrative Safeguards is a Security Management Process detailing the regulatory steps to help achieve compliance to the Security Rule  45 CFR § 164.308 (a)(1)(i)(ii).  

The HIPAA Security Risk Analysis ("SRA") requires entities who hold ePHI to perform an assessment 45 CFR § 164.308 (a)(1)(i)(ii)(A)  of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI across all information systems. The assessment is the first step of the Security Management Process. 

Risk Assessment 

The scope and completion of the Risk Assessment are defined by the size and complexity of the entity. The assessment should identify how the entity manages security risks throughout the organization. An in-depth review includes identifying and gathering data, policies, and processes, performing vulnerability scans and understanding the organization's dependence on external systems and vendors.  

Guidance from the Office of the National Coordinator for Health Information Technology (ONC) breaks the SRA into several sections. These include an in-depth review of: 

  • Security Policies, Procedures, and other Documentation 
  • System User Access 
  • Workforce training 
  • Data 

  • Physical Security 
  • Vendors 
  • Business Continuity Plans 
  • Continued Risk Assessment 

After the completion of the assessment, there should be documentation of how the organization manages or mitigates security risks. The assessment will provide a roadmap for the entity to update and implement any additional security policies, procedures, and processes to prevent, detect, contain, and remediate potential security risks. Any identification of outstanding issues should have a plan for remediation.  

HIPAA Risk Assessments should be performed periodically (e.g. annually) and when there are modifications to applicable regulations, policies, and procedures. Entities are permitted and often opt to outsource the Risk Assessment to third-party vendors specializing in HIPAA and ePHI security compliance.  

Step 2: HIPAA Security- Risk Management  

The next step of the Security Management Process is Risk Management. A Risk Management Program is a proactive implementation of security policies, processes, and systems designed to sufficiently reduce risk and vulnerabilities to ePHI. The Risk Analysis is a check against the Risk Management Program to determine if it is effective. Any recommendations from the Risk Analysis should be evaluated and added to a Risk Management Plan. Items on the plan will be reviewed for potential modification, implementation, or mitigation to current processes. Each time there is an updated Risk Assessment, a potential exists for the Risk Management Program to require modification.  

The required implementation for Risk Management is covered in CFR § 164.308 (a)(1)(ii)(i)(B).  

Step 3: HIPAA Security- Sanction Policy  

The entity is required to train and supervise all workforce members on how to follow security policies and procedures when working with ePHI. The third step of the Security Management Process is designed to address workforce members who violate the security policies and procedures. The entity is required to define what sanctions will occur if a workforce member has violated the policies.  This can include termination of the employee.  

Sanction Policy requirements are listed in CFR § 164.308 (a)(1)(ii)(i)(C)

Step 4: HIPAA Security- Information System Activity Review  

The entity is required to train and supervise all workforce members on how to follow security policies and procedures when working with ePHI. The third step of the Security Management Process is designed to address workforce members who violate the security policies and procedures. The entity is required to define what sanctions will occur if a workforce member has violated the policies.  This can include termination of the employee.  

The final step of the Security Management Process is the ongoing evaluation of the Risk Management Program. The entity must develop processes for the continued review of the policies and procedures developed from the Risk Management Program. These processes require maintaining a collection of audit logs (records) of who has accessed ePHI. There should also be a policy on how often the logs are reviewed and a description of how to detect security incidents CFR § 164.308 (a)(1)(ii)(i)(D)). 

HIPAA covered entities and business associates are required to have continuous monitoring programs in place to identify vulnerabilities and potential risks. Entities are also required to evaluate the effectiveness of the Risk Management Program.  

Asureti can save covered entities and business associates time, resources, and effort needed to operate the HIPAA Risk Analysis and continued monitoring of their environment through our Managed Assurance solution and services. Contact us today! 

Contact us today to get started with your HIPAA Risk Assessment!