Section6.11 Optimize
Section 6 Optimize—EHR and HIE Security Risk Assessment - 1
EHR and HIE Security Risk Assessment
This tool helps you conduct a security risk assessment to help you comply with HIPAA and to reduce your risk of a privacy or security breach.
Time needed: The process of completing a security risk analysis is time-consuming. Depending on what is in place this process may take weeks to completeSuggested other tools: NA
Introduction
Compliance with the HIPAA Security Rule has been required of all HIPAA-covered entities (including behavioral health facilities) since April 20, 2005. The Omnibus Rule, which became effective September 23, 2013, holds all business associates of HIPAA-covered entities accountable for complying with the Security Rule as well. This should be addressed in the covered entities’ business associate agreements. Conducting a security risk analysis is one of the requirements of the HIPAA Security Rule. In addition, the HITECH Act of 2009, modified by the Omnibus Rule, requires federal breach notification when the privacy or security of protected health information (PHI) is compromised. Finally, the federal incentive program for meaningful use (MU) of electronic health records (EHRs) requires that a security risk analysis be performed and that all technical security controls specified in HIPAA are in place.
The Office of Civil Rights developed a document to help you understand these requirements. Please take time to read it. You can download it here:
Understanding Risk Assessment
Risk assessment is a complex and highly technical discipline. The good news is that there are well written documents that explain the theory and practice of completing a risk assessment. If you want to understand risk assessment, there is no better authority than the National Institute of Standards and Technology (NIST). Follow this link to a very useful overview of risk assessment:
. The diagram on the following page, from the NIST document sums up the process.
Completing the Risk Assessment
Below, we provide links to various risk assessment tools and resources. We advise taking a look at all of them, before selecting one to use:
- HIPAA COW tools: The name is amusing, but the resources available on the site of this Wisconsin-based collaborative are very strong. Follow this link to their Risk Assessment toolkit:
- The federal government’s comprehensive site features a powerful and user-friendly HIPAA Risk Assessment tool. Follow this link to that tool:
- In addition to the tool, HealthIT.gov provides a series of informative videos that help you understand important risk assessment topics. Follow this link to the videos:
As you complete a Security Risk Analysis or update the one you have, pay particular attention to new threats and vulnerabilities as you add EHR and health information exchange (HIE) applications. In addition, as a provider of behavioral health services, you will find this specific guidance from the Office of Civil Rights useful:
Data Breach Notification
Despite your efforts, it is possible that a data breach may occur within your organization. If this were to happen, you are mandated to report the breach.
In addition to HIPAA requirements, the HITECH Act of 2009 (and as modified by the Omnibus Rule) and 44 states have data breach notification requirements. For a copy of the Omnibus Rule, see
The following is a summary of the federal breach discovery and notification process.
Minnesota also has a data breach notification law, which although not specifically targeting health information is still relevant. Follow this link for details:
Note: please consult with your legal counsel for additional information and assistance with your Security Risk Analysis effort.
Copyright © 2014 Stratis Health.Updated 04-22-14
Section 6 Optimize—EHR and HIE Security Risk Assessment- 1