Information Security
The HIPAA Security Rule created an industry baseline for information security practice. Most healthcare organizations are familiar with the requirements to perform a risk assessment, establish and maintain security policy and procedures, implement appropriate security controls, train staff, and monitor operations in order to mitigate unreasonable risks to the confidentiality, integrity and availability of protected health information.
HITECH Security Requirements
The HITECH provisions of the American Recovery and Reinvestment Act (ARRA) created additional security obligations. Before HITECH, HIPAA covered entities were only required to mitigate the harm resulting from a security breach. Now they must notify individuals and in some cases the Department of Health and Human Services of the specifics of certain breaches of PHI confidentiality.
Unlike many state laws governing security breaches, the HITECH Notification requirement is not absolute. HITECH requires notification only where the likelihood of harm to an individual is significant. The significant individual harm condition means that a covered entity must assess the risk associated with a security breach to the individual whose privacy was violated. This type of risk assessment has a distinctly different character than the enterprise risk assessment mandated by HIPAA Security Rule. Assessing the risk of individual harm requires a detailed analysis of the breach. Limiting the analysis to PHI or standard IT risk models will not be sufficient. Organizations that fail to properly manage their breach notification activities unnecessary expose their reputations and lower their credibility with patients and other stakeholders.
Business Associates
HITECH also makes business associates responsible for their HIPAA Security Rule compliance. While covered entities are still required to conduct due diligence on a business associate before disclosing PHI, business associates must have their own compliance and risk management programs in place. For business associates, the challenge is to apply what has been learned about HIPAA to the limited context in which they receive, process, and transmit PHI. Similarly healthcare organizations should consider how to best leverage their business associates’ compliance activities.
Tunitas Group Services
Tunitas Group has a long history with the HIPAA Security Rule, having conducted its first HIPAA readiness assessments just a few months after the release of the August 1998 Security Standards NPRM. We have directly supported the HIPAA compliance activities of over 100 covered entities and business associates. We are a full service security consulting firm experienced and capable of addressing all aspects of health information security. Contact us for information about the following HIPAA security services and products:
Risk and Compliance Assessments & Tools
Breach Identification, Analysis, Response and Notification
Business Associate HIPAA Compliance and Risk Assessment Certification
Tunitas Group Expertise
Tunitas Group consultants are certified information security professionals, including CISSP, CISA, GCFA, GCUX, GCIH, CGEIT, MSCE:Security, QSA, ITIL, and COBIT.
