In a blog post last July, Terry Ketchersid reviewed the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Terry noted that one portion of the Act was designed to provide insurance “portability” for people changing jobs while another part outlines requirements for protecting the privacy and security of “individually identifiable health information,” commonly referred to as Protected Health Information or PHI.
The privacy and security part of HIPAA can be viewed as 2 separate rules: the Privacy Rule and the Security Rule. The Privacy Rule governs disclosure of PHI without the patient’s consent. Clinical or billing data that is patient-specific can only be disclosed to a third party without the patient’s specific consent if it is done for purposes of treatment, payment, or healthcare operations. The Security Rule addresses the requirement for healthcare entities to ensure safeguards are in place to securely store, receive, transmit, and maintain PHI. These days most PHI is electronic, so this rule is all about security of the electronic systems and devices in your practice.
The Annual Security Risk Analysis
HIPAA requires healthcare entities to “implement policies and procedures to prevent, detect, contain, and correct security violations” for PHI. Just using a certified EHR does not meet the requirement. Practices must perform an annual assessment of the risks, vulnerabilities, and threats to PHI within the practice and must also make changes to mitigate any identified problems. This annual Security Risk Assessment is part of HIPAA and also is a core objective of Stage 1 and Stage 2 Meaningful Use (MU) where the provider must attest to being compliant with the Security Risk Analysis.
The SRA tool gift
Today there is a new tool to help with Security Risk Assessment (SRA), which is a good reason to revisit the Security Rule portion of HIPPA and the Security Risk Analysis attestation of MU. The SRA tool is brought to you by ONCHIT and the Office of Civil Rights (OCR), the government agency that enforces HIPAA. On March 28 the department of Health and Human Services (HHS) announced this new tool and made it available on their website.
This tool is specifically designed to help small- and medium-sized practices conduct and document an SRA that is compliant with HIPAA and MU attestation. The practice team can use the tool to systematically document the flow of PHI within the practice, including exchange of information among providers, with patients, to billing, or to a backup storage site. The tool also considers possible threats, including human threats such as people not following policies and procedures or natural disasters such as floods or environmental emergencies such as power outages. The tool provides prompts to help the user identify security risks, such as when policies and procedures are inappropriate or inadequate.
Designed for teamwork
The SRA tool is downloaded and kept locally, so this information is private for the practice. It consists of 156 security questions that have “yes/no” documentation, with fields for comments, mitigation plans, and security impact. Designed for a team, the tool facilitates shared responsibility for assessing risks and communicating concerns and plans for security.
The SRA tool appears to be comprehensive and easy to use. In addition the SRA tool website has several short, helpful videos, including an overview of the requirements of an annual security assessment and a very good introduction to using the SRA tool. The SRA tool screens are pretty straightforward, but you will need to look at the introductory video or the User Guide to get started. Here is a look at the first screen:
Safeguarding PHI is a big responsibility and will become more complex as care coordination and patient engagement increase data sharing. Consider taking advantage of this helping hand from ONCHIT and OCR to support thorough annual assessment of any security risk to the PHI in your care. The SRA tool is a gift from the government that should make your Annual Risk Assessment a little bit easier.