One of the biggest and most damaging myths around HIPAA is the myth that compliance with the Security Rule could be anything other than a process that is centered around your practice and is always ongoing.
Specific red herrings that threaten our ability to do HIPAA security the right way include:
- The idea that we must identify and use “HIPAA compliant” products.
- The idea that a product even can be “HIPAA compliant.” (read more about that here →)
- The idea that HIPAA compliance is something that is either “done” or “not done,” rather than being an ongoing process. In fact, you have both the freedom and the onus to approach it like a marathon rather than a sprint.
- A belief that security for our clients and our practices is a requirement imposed from outside of us and is not part and parcel to our already existing standards of professional practice. I.e. the requirement to comply with HIPAA starts to feel akin to paying business taxes, rather than being an extension of our duty of fidelity towards clients and the community.
Here I would like to lay out a simplified, chunked-down look at the process of compliance with the HIPAA Security Rule. Note that this is our model for looking at it, and not a model described in the law or official guidelines — although it includes all those things and is quite similar to some guidelines (Department of Health and Human Services, 2005).
This is also specifically a look at the Security Rule. This does not address the Privacy Rule, which is a portion of HIPAA that most HIPAA trainings cover in detail.
I’ll describe a 3-step workflow of setting up a HIPAA Security compliance process and tell you about maintaining it afterwards.
1) Perform an “accurate and thorough” risk analysis.
Risk Analysis isn’t something that HIPAA made up — it’s well studied and documented in the academic literature of security professionals (Stewart, J.; Chapple, M.; Gibson, D., 2015). It’s the first step in any security process, and involves seeking out and assessing the current risks to the information you keep in your practice.
The fact that HIPAA mandates this process (and the process in step 2) means HIPAA also mandates that we use risk management as our model for conceptualizing and following through on security and privacy in our practices.
Risk analysis is well analogous to performing a community needs assessment. It should be as objective as you can manage and should purely be information gathering — no fixing or changing happens at this step.
Also like a community needs assessment, it must be holistic and take into account the needs of all stakeholders (e.g. clients, clinicians, and staff.)
Finally, it must be thoroughly documented or it’s of no use to you — how can you holistically examine needs if you’re trying to just remember it all in your head?
This documentation then later acts as the documentation that the Feds would require you to submit in the unlikely event of a HIPAA audit.
There are a couple of resources available for performing risk analysis:
- The Department of Health and Human Services (“HHS”) has a very well-written guidance series to help small practices with these three steps we describe, including risk analysis: Security Rule Educational Paper Series
- The ONC (the tech people at HHS) has a tool for performing a risk analysis, although it is entirely focused on the Security Rule standards. That means it can help you be compliant, but may be very difficult to use without technical guidance (we often provide such guidance in weekly Office Hours for our Person-Centered Tech Support subscribers.) Because it is focused only on compliance, it may not contribute as much to your practice’s actual security as would a risk analysis done with a consultant. The ONC Security Risk Assessment Tool.
2) Make a risk management plan
Once again, we can return to the analogy of the community needs assessment.
Once the assessment is done and we have the holistic big picture of what is needed, then we can begin the work of finding ways to meet those needs.
In a risk management plan, you look for risk management measures to address the unacceptably high risks you discovered in step 1. You then consider which measures are best and document your final decisions.
Once again, that documentation is what the Feds want you to have as part of compliance.
Risk management measures can be as obvious as putting passwords on computers and smart phones or more obscure like creating policies that spell out what kinds of websites you’re not supposed to visit on your work computer (because you increase the risk of getting computer viruses if you’re not mindful of what sites you’re visiting.)
3) Create a policies and procedures “manual”
Once you do steps 1 and 2, it should start to emerge for you that a lot of your risk management measures center around behaving in certain ways and describing certain standards for your practice’s people and equipment.
For example, you may read our article about managing the risks in using email with clients. Then while working on your risk management documents, you realize that you need a plan for how you go about discussing email with clients and what kinds of paperwork you want to give them for your email-using process.
This is you coming up with consistently and intelligently applied “good habits” and “good ideas” for how to keep your clients safer — without unnecessarily restricting your ability to provide the care they need from you.
What HIPAA wants you to do is take those “good habits” you thought up and write them out in steps. Then you add those written procedures to your “manual.”
HIPAA also defines a certain set of standards that you’re required to address in your manual.
The HIPAA Security Rule’s Standards
The HIPAA Security Rule has a set of standards that all practices must meet as part of the compliance process. You may have seen these standards if you’ve ever looked at a document meant to help you comply with the Security Rule. They are quite technical, and it can be overwhelming to look at them in a big, official list.
Don’t panic, though! While they are worded and presented very technically, most of them can be addressed with good sense and the occasional consultation with an expert. For example, we have discussed them many times in Office Hours sessions for our Person-Centered Tech Support service.
The standards are split into Administrative, Physical, and Technical “safeguards.”
The Administrative Safeguards include things like policies that anyone working for your practice must follow, among other organizational management things.
Physical safeguards are things that cover the security of the physical sites where your work is done (e.g. your office, and possibly your home if you keep any practice-related information or resources there.)
Technical safeguards are things you must do with electronic equipment and software. This section is where we find standards for things like encryption, passwords, anti-virus software, and the like.
A very HIPAA-friendly risk analysis will include an exploration of how well you currently comply with all the standards. Many argue that only focusing on the standards doesn’t provide as much help as we might like with actually making our practices more secure, however.
The contents of your policies and procedures manual certainly should meet all the standards regardless of what other security measures you choose to take in your risk management plan.
The “Ongoing” Part of the Steps
After the three steps, compliance is mostly about keeping up with the policies you’ve written, documenting the good work you do, and occasionally revisiting the three steps to see what changes you need.
When and how do you revisit them? Well, one of the Security Rule standards requires you to have a policy where you decide on an answer to that question (and document your decision.) Are you sensing a trend yet?
The best practice at this moment is to revisit all three steps in some kind of reduced form every year. If you haven’t changed much about your practice, the yearly revisit should be much, much smaller and less time-consuming than the initial run through the steps.
If you make an especially big change to your practice, however, you’ll need to revisit the risk analysis at about the same time that you make the change. Once again, one of the Security Rule’s standards requires you to come up with a procedure for deciding what kinds of changes call for a revisit of the risk analysis and how you’ll go about doing that revisit.
Policies and procedures need not be written in legalese or follow a specific format. What works for you; is understandable for others; provides a good balance of security and functionality for clients and any staff you may have; and addresses the things HIPAA requires you to address is the target to aim for.