Sign In  
Register  

Home

Products & Services

O&P Facilities

Resources

Practice Management
News & Articles Classifieds Calendar Archives

oandp.com  >  The O&P EDGE  >  Archives   >  August 2003

   

HIPAA Security and the Administrative Safeguards—Part 1

By Jay Masci

In the last article, we divided the Security Rule standards into four categories: administrative safeguards, physical safeguards, technical safeguards, and organizational safeguards. We then listed all the standards and their implementation specifications, identifying whether they were required or addressable.

In this article we will cover the first administrative safeguard standard in detail and how it will affect your O&P organization.

Security Management Process Standard

The Security Management Process Standard establishes a formal security management process that includes the creation, administration, and oversight of policies to address the full range of security issues and to ensure the prevention, detection, containment, and correction of security violations. Implementation features include: 1) risk analysis, 2) risk management, 3) sanction policy, and 4) information system activity review.

1) Risk Analysis (Required)

Implementation specification: Your organization must conduct an accurate and thorough assessment--risk analysis--of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (PHI).

What it means to your organization: Your organization needs to identify potential risks to electronic PHI, determine whether appropriate security measures have been or need to be taken, and what the "relevant losses" would be if security measures were not in place. Risks would include items such as unauthorized uses and disclosures and loss of data integrity. The risk analysis will help form the foundation upon which your security activities are built, so your analysis should include all of the other Security standards implementations and their potential risks. This will help ensure your organization's compliance with the standards. The risk analysis must be documented, retained for six years, and should be periodically reassessed and updated as needed.

2) Risk Management (Required)

Implementation specification: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

What it means to your organization: Your organization will need to plan for and manage the implementation and maintenance of security measures identified in the risk analysis. Although a formal plan is not required, just documentation of your security implementations, I believe it is a basic element that will help your organization with the implementation of the Security standards. Your organization should document and retain your risk management plan or your security implementation documents.

3) Sanction Policy (Required)

Implementation specification: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

What it means to your organization: Your organization will need to create a sanction policy for the Security standards. These sanctions can be combined with the Privacy Rule sanctions. As with the Privacy Rule the type and severity of the sanctions imposed, and for what causes, are determined by your organization. Again it is mandatory that this policy be documented, retained for six years, and should be periodically reassessed and updated as needed.

4) Information System Activity Review (Required)

Implementation specification: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident-tracking reports.

What it means to your organization: Your organization will need to document what and how often electronic PHI records are reviewed to ensure there has been no security incidents that warrant attention. If you are a smaller organization and you don't currently have access to reports or audit logs, you may want to ask your software vendor to provide these reports for you. Your access reports should also take into consideration security measures implemented to limit the access of a workforce member to electronic PHI. The procedures developed for this implementation need to be documented, retained for six years, and should be periodically reassessed and updated as needed.

Other HIPAA Security Rule articles can be found in the Related Articles section below.

The article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.

Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.


Related Articles

HIPAA Security and the Organizational Safeguards - April 2004
DC Direct

HIPAA Security and the Physical Safeguards - November 2003
DC Direct

HIPAA Security and the Administrative Safeguards—Part 2 - October 2003
DC Direct

HIPAA and the Business Associate Puzzle - July 2003
Exclusively Online

HIPAA Security – Required or Addressable - July 2003
DC Direct

Here Comes HIPAA Security - May 2003
DC Direct

HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003
So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct

HIPAA Privacy: Are You Ready to Comply? - March 2003
Exclusively Online




Table Of Contents - August 2003

Proper Documentation: How To Win Lawsuits
Document retention can help prevent frivolous lawsuits and minimize damages in legitimate lawsuits, providing corroborative evidence to a witness’ testimony and/or filling in the blanks where a witness’ testimony falls short. Feature

The Business of O&P: Warm and Tropical—or Frozen Tundra?
Leading EDGE

Steps To Keeping Your Business Lucrative
"The cost of absolutely every aspect of business have risen, while our reimbursement has gone down. This has been a consistent trend for the past five to ten years." What is the beleaguered O&P business owner to do? Leading EDGE - Exclusively Online

Outsourcing—Converting Clinical Goals to Fabrication Solutions
Shop Talk

Got FAQs

HIPAA Security and the Administrative Safeguards—Part 1

Amputee ‘Gets His Life Back’
Today's Consumer

Al Ingersoll, CP
Profiles

Central Fabrication: Its Role in Quality Patient Care
Perspective

From the Editor
Viewpoints


About The O&P EDGE
Advertisers

PEL Supply Company
Look at how easy it is to order from our friendly PEL customer service representatives.

Velocity Labs
New from Velocity labs: Velocity Expulsion Valve

The Unique Kleenaire Air Purification System
When dust and odors are at their worst, Kleenaire is at its best. The Kleenaire dual filtered air purification system makes it easier to promote a healthier breathing environment for employees and patients.

View All Advertisers

Print this article

Print this article
Email this article

Email this article

oandp.com  >  The O&P EDGE  >  Archives   >  August 2003

News & Articles | Classifieds | Calendar | Archives
Free Subscription | Advisory Board | Advertisers | Media Kit | Contact Us

Home | Products & Services | O & P Facilities | Resources
Amputees | Technicians | Profiles | Sports | Organizations | Networks | Publications | Education | Research | Contact Us