The HIPAA Risk Analysis Required Standard
The HIPAA Risk Analysis Required Standard
HIPAA and how it relates to Small to Medium Enterprises (SME's) that are "Covered Entities". In this post, we'll take a look at Risk Analysis.
The HIPAA standard, in reference to Risk Analysis, states:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity".
Have you identified the PHI within your organization? You need to include items that you create, receive, maintain or transmit.
What constitutes a breach within HIPAA?
"Unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information" (Source: Federal Register Vol 74 No.79).
The term 'reasonably' is not defined further in the act, however there are exceptions articulated that create other potential issues for healthcare organizations, including:
If the access/use is unintentional or
Made by someone acting under authority of a covered entity (or business associate if access/use etc)...was made in "good faith" and within the scope and course of employment (or other professional relationship with a covered entity)....and such information is not further used, disclosed, accessed or used
Under these exceptions, your disclosure is allowed.
Looking at another exception: information that was inadvertently disclosed by someone authorized to access PHI as long as the PHI is not further accessed, used or disclosed without authorization.
If you are not sure whether it is authorized or not, the 'unintentional' condition could be a basis for argument. But I guess the courts would have to decide if a "reasonable" person would know if authorized or not on further access, use or disclosure.
If you read the rules and regs further, there are additional terms used such as:
"Reasonably Believed"
"Reasonably Appropriate" and
"Without Unreasonable Delay".
So how does all this relate to the non-attorneys doing their job in the world of electronic PHI and IT?
Risk Analysis: required standard. Have a solution like ours that will find data created and maintained on the network. If items are received later, it will continue to find electronic PHI-type data which then gets maintained. Transmitted over the network? We've got you covered there, as well.
This is a first analysis of the Transmission Security Standard within HIPAA. Look for more updates on additional regulation in the coming weeks.
Steve Brining, Palisade Systems, Inc.
Data Loss Prevention
HIPAA and how it relates to Small to Medium Enterprises (SME's) that are "Covered Entities". In this post, we'll take a look at Risk Analysis.
The HIPAA standard, in reference to Risk Analysis, states:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity".
Have you identified the PHI within your organization? You need to include items that you create, receive, maintain or transmit.
What constitutes a breach within HIPAA?
"Unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information" (Source: Federal Register Vol 74 No.79).
The term 'reasonably' is not defined further in the act, however there are exceptions articulated that create other potential issues for healthcare organizations, including:
If the access/use is unintentional or
Made by someone acting under authority of a covered entity (or business associate if access/use etc)...was made in "good faith" and within the scope and course of employment (or other professional relationship with a covered entity)....and such information is not further used, disclosed, accessed or used
Under these exceptions, your disclosure is allowed.
Looking at another exception: information that was inadvertently disclosed by someone authorized to access PHI as long as the PHI is not further accessed, used or disclosed without authorization.
If you are not sure whether it is authorized or not, the 'unintentional' condition could be a basis for argument. But I guess the courts would have to decide if a "reasonable" person would know if authorized or not on further access, use or disclosure.
If you read the rules and regs further, there are additional terms used such as:
"Reasonably Believed"
"Reasonably Appropriate" and
"Without Unreasonable Delay".
So how does all this relate to the non-attorneys doing their job in the world of electronic PHI and IT?
Risk Analysis: required standard. Have a solution like ours that will find data created and maintained on the network. If items are received later, it will continue to find electronic PHI-type data which then gets maintained. Transmitted over the network? We've got you covered there, as well.
This is a first analysis of the Transmission Security Standard within HIPAA. Look for more updates on additional regulation in the coming weeks.
Steve Brining, Palisade Systems, Inc.
Data Loss Prevention
Source...