HIPAA Security Assessment

What is HIPAA Security Assessment?

The HIPAA Security Rule specifically focuses on the safeguarding of EPHI (Electronic Protected Health Information). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:

  • Covered Health Care Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  • Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearing houses— A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.
  • Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act. This fourth category of “covered entity” will remain in effect until the drug card program ends in 2006.

Objective of HIPAA Security Assessment

There are two specific regulations of interest to database professionals: the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. It is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:

  • the individual’s past, present or future physical or mental health or condition or
  • the provision of health care to the individual or
  • the past, present, or future payment for the provision of health care to the individual

The Privacy Rule’s basic mandate is that organizations may only release PHI as explicitly permitted by the Privacy Rule or with the prior written consent of the individual who is the subject of the records. The Privacy Rule also contains a number of notification requirements and administrative requirements designed to ensure proper records are maintained and that individuals are aware of their rights under HIPAA.

The Security Rule covers the security of electronic protected health information (ePHI). It prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes a number of required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies and Procedures

The key to compliance with the Security Rule lies in the language of the law: implementing “reasonable and appropriate” measures. You should carefully evaluate each of the items your risk assessment identifies as possible security actions against this principle. If you (and your attorney) feel that the measure isn’t reasonable and appropriate when viewed in light of the type of data in question, the size of the business, the potential risk and other circumstances, it’s only necessary to document that rationale.

It’s certainly true that HIPAA has caused database professionals a number of headaches while striving to come into compliance with the law. You should, however, view this as an opportunity to focus on the security of your databases. The procedural requirements of HIPAA only apply to specific PHI/ePHI data, but they’re reliable best practices for all of your data.

HIPAA Security Assessment Methodology

HIPAA Compliance – Keys to Effective Policies & Procedures

  • Policies & procedures that are needed to stay compliant with HIPAA rules
  • Specific solutions to your most difficult security & privacy dilemmas
  • Inputs on preventing, detecting, containing and correcting security violations

HIPAA Security Assessments – What You Need to Know to be Prepared

  • What specific breeches can trigger an assessment
  • Specific checklist to help you be assessment-ready
  • Real life lessons learned from recent assessments

Benefits of HIPAA Security Assessment

Significant resources need to be invested over the next several years to achieve compliance with HIPAA legislation and to realize the long term benefits.

The benefits of HIPAA Security include:-

  • Lowering administrative costs
  • Enhancing accuracy of data and reports
  • Increasing customer satisfaction
  • Reducing cycle time and improving cash management.

How can DQS help with your HIPAA Security Assessment?

Our Methodology of Assessment is Plan, Audit, Execute and Manage

Audit Cycle

Contact us

Please feel free to contact us. We are looking forward to hearing from you!