HIPAA Gap Analysis?

Posted on Oct 9, 2019 in HIPAA

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don’t make the same mistake.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. §164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis.  Most important, assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

Technical Safeguards Protect PHI

Posted on Jun 19, 2019 in HIPAA

Why Technical Safeguards?

Technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. They are key elements that help to maintain the safety of ePHI as the internet changes.  Consequently technical safeguards are important due to technology advancements in the health care industry. The challenge of healthcare organizations is that of protecting electronic protected health information (EPHI).   Most importantly, this includes items such as electronic health records, from various internal and external risks.

Comply with Technical Safeguards

The HIPAA Security Rule, requires for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  Consequently, this rule is based on several fundamental concepts.  These are flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.

Implementing “The Security Rule”

The Rule allows the use of security measures.  Consequently, these allows it to reasonably and appropriately  implement the standards and implementation specifications.  Because of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  There are a variety of  measures which can assist an organization to meet these standards.  A more detailed description can be found at the HIPAA Security Series published by HHS.gov.

Access Controls

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of the Information Access Management standard under the Administrative Safeguards section of the Rule.

CMS Security Rule

New Guidance form HHS

The Department of Health and Human Services (HHS) on December 12, 2012 published a News Release on its website regarding a new initiative for providers that provides guidance on how to safely keep PHI on mobile devices.   The initiative is called, “Know the Risks, Take the Steps, Protect and Secure Health Information.”  

The recommendations place providers on notice as to what the expectations are of the HHS to protect PHI:

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Disable and do not install or use file sharing applications.
  • Install and enable a firewall.
  • Install and enable security software.
  • Keep your security software up to date.
  • Research mobile applications before downloading.
  • Maintain physical control (i.e., protect against lost devices).
  • Use adequate security to send or receive health information over public Wi-Fi networks.
  • Delete all stored health information before discarding or reusing the mobile device

Please review the security that you use for your mobile devices to assure that you are providing the protections that are expected

The Importance of “The Security Rule”

Technical safeguards are important due to technology advancements.  The take away is that Technical Safeguards protect PHI.  Most importantly covered entities and business associates who deal with electronic PHI must review their use of Technical Safeguards to be fully in compliance.  

Feel free to contact us for more guidance on this important topic.

Anesthesia Compliance Consultants

© 2020 Anesthesia Compliance Consultants