The HIPAA Security Rule requires the implementation of administrative, physical, and technical safeguards for ePHI protection. Learn what administrative safeguards should be in place to protect ePHI.
Electronic Protected Health Information (ePHI) refers to sensitive health information that is digitally stored, transmitted, or processed, typically in electronic health records (EHRs), healthcare databases, or other healthcare-related systems.
Protecting ePHI is a “holy duty” for every organization that handles it for any purpose. The HIPAA Security Rule requires organizations to protect ePHI with administrative, technical, and physical safeguards.
In this article, we’ll focus on the administrative safeguards, which include:
Let’s dive deeper into the administrative safeguards and see what you should do to protect ePHI.
Implement policies and procedures to prevent, detect, contain, and correct security violations. This includes risk analysis and management, sanction policy, and information system activity preview.
Risk Analysis. Conduct risk assessments annually or every time there are significant changes in business processes, technologies, and threat landscape. The risk assessment helps identify potential risks and vulnerabilities to ePHI, so ensure all systems that handle ePHI are included in the assessment scope.
How to conduct the risk assessment? Read our blog post Risk Assessment Requirements Under HIPAA Security Rule for more details.
Along with risk assessments, conduct regular vulnerability scans, patch management, and application security tests.
Risk Management. You must address all identified risks and vulnerabilities found during the risk assessment. Thus, establish a process for documenting, tracking, and addressing identified risks and vulnerabilities in a timely manner.
Sanction Policy. Develop formal sanctions policies for violating security and privacy policies related to ePHI. Ensure all workforce members read and acknowledge the sanctions policy.
Information system activity review. Develop formal requirements for logging systems activities related to ePHI access and processing. All system actions and respective outcomes must be logged. The logs must be securely stored and retained to support future investigations. Develop a formal process for monitoring logs for suspicious activities related to ePHI access. Identify critical systems and activities that should be monitored. Assign process owners and responsibilities for the reviews.
Identify the security official responsible for developing and implementing policies and procedures required by HIPAA Security Rule. It may be either a separate dedicated role or a Chief Information Security Officer (CISO). The main requirement here is to ensure that the individual fulfilling the role has sufficient knowledge and experience to manage the HIPAA compliance program.
Read more on how to hire the right CISO in our blog.
Authorize and supervise employees working with ePHI.
Authorization and supervision. Document all access roles in accordance with the access needs associated with each position. For instance, a claims processor might necessitate read-only access to ePHI, whereas a claims adjustor might require higher-level access privileges. Likewise, a claims processor might only need access to claims pertaining to a particular geographic region or business segment.
Conduct periodic reviews of documented access roles. As job responsibilities, business processes, and technologies change, so do the access requirements. Finally, maintain an inventory of all systems, applications, and databases that contain ePHI as well as a list of all workforce members and third parties with access to ePHI. This is necessary for managing access, conducting risk assessments, and investigating security incidents.
Workforce Clearance Procedure. Establish a process for conducting background checks for all new hires, employees, and contractors. Depending on the roles, some positions may necessitate a basic background check, while others with greater access privileges may require more comprehensive background screening.
Termination. Establish a formal process for immediately terminating ePHI when a workforce member leaves the company. Document all termination requests in a system of record.
Employees must be aware of the policies and procedures governing access to ePHI. To achieve this, introduce training programs to address ePHI data handling, malicious software, password management, log-in monitoring, and overall company’s security and privacy policies and procedures. It is highly important to require all workforce members to complete the mandatory training prior to providing them with access to ePHI. Provide periodic security reminders by sending periodic emails, posters placed throughout the office space, all-hands meetings, etc.
Create a procedure for responding to potential ePHI data breaches, including the maintenance of a list containing relevant internal and external contacts that may need to be notified.
Record all security incidents including the incident details, the remediation and investigation steps, the outcomes, the individuals involved, and the overall impact on the confidentiality, integrity, and availability of ePHI.
Establish a process for conducting at least annual security incident response plan tests. Beyond validating the plan itself, these tests help enhance the readiness of the incident response team members in handling security incidents.
Establish policies and procedures for responding to business disruptions such as data corruption, system failure, natural disasters, etc.) that damage systems that contain ePHI. These include data backup plans, disaster recovery plans, and emergency mode operation plans. Ensure these plans are tested periodically to ensure reliability.
Conduct periodic evaluations of your people, processes, and technologies for compliance with HIPAA requirements. Such reviews may combine technical and non-technical compliance reviews to ensure the Security Rule requirements are met.
Identify all third-party service providers that have or may have access to ePHI and ensure that a BAA is signed with each third party. Establish a process for managing your third-party vendor risks. This may include conducting risk assessments of third-party vendors or reviewing their independent audit reports and certifications such as SOC 2 and HITRUST periodically.
Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in the healthcare industry who can help with addressing all HIPAA requirements. A typical approach to our HIPAA compliance services consists of the following process:
Depending on the client’s internal resources’ expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own or supplement the client’s team.
You can also utilize the Planet 9 HIPAA Vitals application. The HIPAA Vitals assessment is based on several reputable sources including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals. The assessment scope is driven by the technical profile and other factors specific to the organization.
To stay updated on the recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!