HIPAA compliance requires a continuous and thorough evaluation of organizations’ capability to comply with the requirements and address changes. Learn how HIPAA Vitals may help.
Organizations subject to the HIPAA Security Rule strive to protect the confidentiality, integrity, and availability of ePHI by applying the required standards. In our previous articles, we have already discussed the main Security Rule Standards in general terms and described the HIPAA Risk Assessment process. This article is dedicated to the Evaluation Standard because it helps establish the extent to which an entity’s security policies and procedures meet the requirements of the HIPAA Security Rule.
As it is stated in the HIPAA Security Rule, the Evaluation Standard requires covered entities to: “Perform a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of ePHI. Evaluation establishes the extent to which an entity’s security policies and procedures meet the requirements of the Security Rule.” The main purpose of the compliance evaluation is to ensure that the covered entity maintains its security policies, procedures, and technical safeguards reasonably and appropriately. Furthermore, evaluation of the current and possible future changes in the covered entity’s operations and environment raises confidence that the security of the e-PHI is not compromised. Therefore, the compliance evaluation is not only limited to demonstrating the HIPAA Security Rule compliance but also helps organizations prevent and address security-related threats that are often hidden behind any environmental or operational changes.
The first step for achieving compliance with the Evaluation Standard is designing a comprehensive Evaluation Program that would address possible policies and changes unique to each organization. Commonly, the organization’s Evaluation Program includes three main components: initial evaluation, continuing evaluation, and periodic evaluation. Particular attention should be given to re-evaluation as an essential means to ensure continuous evaluation. Each of these components validates if the covered entity conducts its operations in a compliant and secure environment which the HIPAA Security Rule requires.
Preparation for HIPAA Security compliance is a complicated and time-consuming process. So, validation that these efforts were successful and developing a baseline for future compliance evaluation is a good idea. The initial evaluation involves reviewing policies, procedures, and technological safeguards the organization already has to satisfy the HIPAA Security Rule requirements. Hence, by conducting a thorough review of operations and assessing areas responsible for maintaining the technical safeguards, organizations may evaluate their compliance and create a baseline for future evaluations.
Continuing evaluation for compliance maintenance is the second activity that starts once the organization performs the initial evaluation. In this step, the covered entity must assign authorized individuals to critical processes associated with technological and operational changes. Individuals accountable for this activity should be key players in the organization’s change management processes.
Continuing evaluation is essential for the comprehensive Evaluation Program since it allows performing systematic reviews of changes that affect ePHI security. These may include any technical (hardware, software, media), environmental (physical location, facilities), or operational (people, processes) changes that might negatively affect the security of ePHI. For instance, to respond to ongoing technological demands and increase business efficiency, the covered entities often decide to incorporate new technologies into their operations. Hence, organizations often decide to move their assets to the cloud or just change their hardware or software for more sufficient. Doing this, the covered entities are required to re-evaluate the new technological, physical, and operational environments to ensure that ePHI is appropriately protected and confirm their HIPAA compliance.
Other factors that may trigger a re-evaluation of the organization’s security safeguards include but are not limited to:
Evaluation of all the environmental or operational changes provide the covered entity with a good chance to reduce the associated risks to reasonable levels as well as confirm their HIPAA compliance efforts.
Finally, in addition to the previous evaluation steps, organizations should complete periodic evaluations regularly. Such evaluations allow ensuring that any changes in the organizational environment since the last evaluation do not compromise its HIPAA compliance. Periodic evaluations are also necessary to check whether the existing security measures are strong enough to ensure the confidentiality, availability, and integrity of ePHI. The changes that may occur within the organization may be technical and non-technical as they relate to technological and physical environments as well as business operations. As we already mentioned, the periodic evaluation utilizes the baseline information and evaluates all changes that may have affected the organization’s security.
Compliance evaluation may be performed either internally or using external help. Covered entities are free to decide which option is more suitable based on their resources and operational capacity. To help organizations with their compliance evaluation efforts, Planet 9 suggests an effective solution – the HIPAA Vitals application. Besides compliance evaluation, HIPAA Vitals also helps to cope with ePHI security issues related to policies, procedures, and controls. Being based on such reputable sources as OCR Audit Protocol, NIST 800-66, HIPAA Security Series, as well as years of expertise and experience of our professionals, HIPAA Vitals is an effective tool for maintaining HIPAA compliance. To complete a compliance evaluation just create an account, respond to the questionnaire, and review compliance gaps and recommendations.
As with the risk assessment requirement, the compliance evaluation process does not have distinct compliance criteria. Each organization is encouraged to create a list of compliance guidelines that are the most suitable for their environment. The following activities belong to the best practices that organizations implement to maintain compliance with the Evaluation Standard. Thus, to perform appropriate compliance, covered entities should:
In conclusion, the compliance evaluation process allows covered entities to be ready to maintain security and compliance in a dynamic and constantly changing environment. The HIPAA Security Rule provides a flexible approach to performing the compliance evaluation while Planet 9 has developed a helpful tool for making this process easier. So, organizations should choose those guidelines and criteria that are relevant for their environment and operations.