|
security
management process (HIPAA)
Covered
entities must implement a security management process
as a part of their administrative
safeguards. The HIPAA Security
Rule defines that process as the "implement[ation]
of policies and procedures to prevent, detect, contain and
correct security violations."
The process is
further defined as including four implementation
specifications, all of them required:
- an information
system activity review.
DHHS has noted
that this standard and its four components "form the
foundation upon which an entity's necessary security activities
are built." Accordingly, it must be given particularly
careful attention. However, as with all other elements of
security safeguards, entities are given latitude in determining
the details of implementation: "Numerous factors, including
... but not limited to, their size, degree of risk and environment"
will determine what is reasonable and appropriate. (Final
Rule, p.78)
That said, DHHS
has also been clear that every covered entity is required
to keep its security measures "current," and so
these efforts "must be periodically reassessed and updated
as needed." (Final Rule, p.79) This is not a "one
off" effort.
The first of the
four implementation specifications, risk analysis, includes
"an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality,
integrity and availability of electronic
protected health information
(PHI) held by the covered entity." A thorough and
accurate risk analysis must consider "all relevant losses"
that would be expected if security measures were not in place,
including losses caused by unauthorized uses and disclosures
as well as losses of data integrity or accuracy.
Risk management
requires implementation of security measures sufficient to
reduce those risks and vulnerabilities "to a reasonable
and appropriate level."
Sanctions policies
must be in place to apply appropriate penalties and punishments
against workforce members
who fail to comply with the organization's security policies
and procedures. (The type and severity of sanctions imposed,
and the categories of "violation," are left entirely
to the determination of the covered entity.)
The last of the
four, information systems activity review (formerly termed
"internal audit"), includes implementation of "procedures
to regularly review records of information systems activity,
such as audit logs, access
reports, and security
incident tracking reports." (Again, the frequency
and intensity of these reviews is left to the discretion of
the covered entity.)
See also:
|
