If an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why, and adopt an equivalent measure if it is reasonable and appropriate to do so.
What Is Security Risk Analysis? By: MedSafe
Why Security Risk
MedSafe “The Total Compliance Solution”
PHI / ePHI
as defined under the
HIPAA Security Rule
What is ePHI?
Electronic Protected Health Information
Personally identifiable electronic
protected health information
that is stored, accessed, maintained,
retained, destroyed, transmitted, held,
used or disclosed
What is “unsecured” PHI?
Unsecured PHI/ePHI is that
Protected Health Information which is
Rendered unusable, unreadable, indecipherable
to unauthorized individuals
How do I secure PHI/ePHI?
Section 13402 of Title XIII of the HITECH Law and the
American Recovery and Reinvestment Act of 2009 (ARRA);
Options include use of encryption
technologies and proper destruction methods as
defined by HHS.
Once PHI has been de-identified in accordance with
the HIPAA Privacy Rule, it is no longer PHI and is
therefore, no longer subject to the HIPAA Privacy and
Encryption is the process of securing electronic
information by transforming it into code
that would render it unreadable, indecipherable
and unusable to any unauthorized individual.
Authorized individuals possess a “key code” to
decrypt and access the secure information.
Encryption & Breach
If secured (encrypted) ePHI were stolen /accessed
by an unauthorized individual,
the access would NOT constitute a breach
because the individual would not be able
to read the ePHI without a key code.
Examples of ePHI mechanisms that should be secured with encryption:
Website portals / gateways
EMR interfaces, efaxing; eprescribing
Back-up tapes / CDs
External hard drives / flash drives
HIPAA Security Rule
The final regulation under HIPAA, was published February 20, 2003.
The Security Rule specifies a series of
administrative, technical, and physical
security procedures for Covered Entities
to use to assure the
confidentiality, integrity, and availability
of Protected Health Information (PHI).
Under 45 C.F.R. § 164.302 – 318
Organizations must identify and
implement the most effective and
appropriate administrative, physical, and
technical safeguards to secure electronic
protected health information (e-PHI).
The Security Rule identifies
as the foundational element in
the process of achieving
The very first specification in the
HIPAA Security Rule is Risk Analysis:
“What could happen?”
Hackers broke into the United Nations
computer system and hid there for two years.
How do we know someone is not in our
hospital computer system?
Risk analysis lays the foundation for next
specification in the Security Rule …….
What do the numbers say?
39% of privacy breach incidents on the
OCR “Wall of Shame” (breaches of 500 or more
have occurred on laptop or mobile devices
88% of exposed records are mobile-media related
60%+ of breaches have a strong malicious
Business Associates are involved in over half of
Source, J. David Kirby, Former Director, Information Security Office, Duke University Health System
Covered Entities are required to:
Evaluate risks and vulnerabilities in their
Implement security measures to protect against
reasonably anticipated threats or hazards to the
security or integrity of ePHI
Risk analysis is the first step in that process.
(45 C.F.R. § 164.308(a)(1)
The Security Management Process
standard in the Security Rule requires
“[i]mplement policies and procedures
to prevent, detect, contain,
and correct security violations.”
Risk Analysis Requirement
Conducting a risk analysis includes
identifying and implementing safeguards
that comply with and carry out the standards
implementation specifications in the
OCR RISK ANALYSIS
Per The Office for Civil Rights (OCR):
Conduct an accurate and thorough assessment
of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information held
by the [organization].
National Institute of Standards & Technology (NIST),
US Department of Commerce, Special Publication (SP) 800-30,
defines “vulnerability” as:
“[a] flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised
(accidentally triggered or intentionally exploited) and result in a
security breach or a violation of the system’s security policy.”
Vulnerabilities, whether accidental or intentional, could
potentially result in a security incident, such as inappropriate
access to or disclosure of e-PHI.
Vulnerabilities may be grouped into two general categories,
technical and nontechnical.
Non-technical vulnerabilities may include ineffective or nonexistent policies, procedures, standards or guidelines.
Technical vulnerabilities may include: holes, flaws or
weaknesses in the development of information systems; or
implemented and/or configured information systems.
Considerations for Organizations
Determine the most appropriate ways to achieve
compliance, taking into consideration:
the characteristics of the organization
the physical environment
How ePHI is stored, shared and managed
Security Rule Specifications
Addressable v Required
(68FR 8334, 8336 (Feb. 20, 2003).)
The Rule contains several implementation specifications that are
labeled “addressable” rather than “required.”
(68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)
An “addressable” implementation specification is not “optional”.
The outcome of the risk analysis process is a critical factor
in assessing whether implementation of addressable
specifications or equivalent measures
are reasonable and appropriate.
Ongoing Risk Analysis should be performed
by a qualified external professional to ensure objectivity
and should include the following steps:
Physical site assessment and personnel interviewing process
Identify technological infrastructure & data management
Identify and document privacy & security vulnerabilities
Collect documentation as proof of security measures
Identify existing security measures, including encryption
Implement ongoing plans of corrective action
ARE YOU READY?
KPMG has secured a $9.2 million contract with
the Office for Civil Rights (OCR) to conduct
random HIPAA HITECH Audits
of Covered Entities.
The audits have already begun.
After wrapping up site visits for the initial 20
compliance audits, the top HIPAA official at
KPMG says Covered Entities (CEs) are failing to
complete basic tasks, such as conducting a
Risk Analysis and distributing a Notice of
Who is under the microscope?
OCR contracted the consulting firm, Booz Allen Hamilton, to
“identify audit candidates” and “provide background and
recommendations” for the audit program.
The first 20 of those audited, were grouped by level of
information technology sophistication and by type of entity,
with four “levels” or tiers among them.
Of the 20, 10 were providers, eight were health plans and two
All Size Covered Entities Were Audited
Tier 1 organizations are the
...with “revenues or assets greater than $1
billion,” including health plans, provider
organizations and clearinghouses with
“extensive use of health information
technology, complicated HIT-enabled clinical
and business work streams.”
Tier 2 includes….
…health plans, providers and clearinghouses
including hospital systems with 3 to 10
hospitals or regions, and regional insurance
companies with assets valued at between
$300 million and $1 billion.
Tier 3 includes…
….health plans & providers which could include
community hospitals, outpatient surgery
centers, pharmacies and “self-insured entities
that don’t adjudicate their claims.” With
revenues between $50 million and $300 million
each, with some, but not extensive use of HIT
[and] mostly paper-based workflows.”
Tier 4 includes...
….health plans and providers, described in OCR
presentations as provider practices with 10 to 15
providers, and a community or rural pharmacy,
with “little to no use of HIT, almost exclusively
paper-based workflows” and “less than $50
million” in revenues.
The audited entities ranged in complexity from single
physician practices to complex acute care medical
A covered entity can do its best to ensure broad
compliance across all aspects of its operations, while
the audit team might zero in on one department.
Michael Ebert, national HIPAA services
leader for KPMG, which is performing the
audits for OCR, stated…
In addressing what covered entities should be doing
in light of the audit program, Ebert said:
“Do a risk analysis, risk assessment.”
“I’ll tell you now, on everything we do, that’s the
biggest weakness we see,” he said.
Ebert added that “People need to understand that
safeguarding PHI goes beyond electronic. It goes to
paper and oral. So how you set up your ERs, how you
set up your consultation area” matter, he said.
Elements of a Risk Analysis include…
Analysis of technological infrastructure
Internal operations & ePHI management
ePHI sharing, interfaces, communication
Existence of policies and procedures
Provision of ongoing staff training
Identification of ePHI sources & vulnerabilities
PHI storage and physical PHI security
ePHI preservation and operations
Workstation security & internal processes
Implement HIPAA/HITECH Policies & Procedures
Conduct Risk Analysis
Conduct ongoing employee training
Collect documentation of compliance efforts
Implement written plans of correction
Ensure existence of data security measures
Facilitate patient rights under the law
Security Risk Analysis establishes accountability.
Covered Entities are ultimately responsible for
protecting patients’ information they have been
Risk Analysis is an important tool that helps ensure
the privacy and security of the information that CEs
Have promised to protect under the Law.
In Summary, Security Risk
...is a requirement.
...protects Covered Entities and patients.
...reduces the potential for breach.
...improves quality measures and establishes
…facilitates CEs’ receipt of CMS EHR Incentives.
…establishes ongoing goals.
…from an ethical standpoint, is the right thing to do.
“The Total Compliance Solution”