- Healthcare organizations of all sizes must remain diligent in keeping themselves HIPAA compliant, especially when it comes to technical, physical, and administrative safeguards. Data breaches can occur in a variety of ways, which is why facilities need to ensure that their policies are current and secure.
As technology continues to evolve, and healthcare facilities may adjust their daily operations in order to properly implement new systems, it is important to remain aware of the basics of HIPAA and its types of safeguards. HealthITSecurity.com decided to review the key features of administrative safeguards, and what healthcare organizations can do to prevent data breaches and keep patients’ protected health information (PHI) secure.
What are administrative safeguards?
According to the Department of Health and Human Services HIPAA Security Series, the administrative guidelines were put in place “to protect the privacy and security of certain health information, and promote efficiency in the healthcare industry through the use of standardized electronic transactions.”
Essentially, these are administrative actions, policies, and procedures designed to manage the selection, development, implementation, and maintenance of security measures. These security measures protect electronic protected health information (ePHI) and also manage the conduct of a covered entity’s workforce when it comes to protecting the ePHI.
“In general, these are the administrative functions that should be implemented to meet the security standards,” explained the HIPAA Security Series. “These include assignment or delegation of security responsibility to an individual and security training requirements.”
Additionally, administrative functions include policy and procedures that required for management and execution of security measures. These include performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions, according to HHS.
DHS also explained that several factors must be considered when a healthcare organization is developing its administrative safeguards. For example, a covered entity’s size, complexity, and capabilities, along with its technical infrastructure have to be weighed. Moreover, the costs of security measures and the probability and criticality of potential risks to ePHI must be considered.
When healthcare organizations implement administrative safeguards, they need to put policies and procedures in place to prevent, detect, contain, and correct security violations. Additionally, these facilities need to conduct proper risk assessments to guarantee they have administrative safeguards in place.
Why are they important?
HIPAA administrative safeguards work hand-in-hand with technical and physical safeguards. Security technology can only go so far without the right policies and the proper documentation is necessary for those organizational policies to have any pull.
For example, healthcare organizations need to know if there are policies and procedures in place for security, and if there is a formal (documented) system security plan. It would also be important to know if a facility had a formal contingency plan or if there was a process for communicating policies and procedures to affected employees. Lastly, administrative safeguards can distinguish if policies and procedures are reviewed and updated as needed.
The importance of a risk analysis
A lack of proper risk assessments can prove detrimental to a healthcare organization. Phase 2 of the HIPAA audits might have been delayed, but that does not mean that covered entities should indefinitely put off developing the necessary safeguards.
The OCR will look for periodic risk analysis and evidence of compliance, along with documentation of policies and procedures being in place. For example, if the OCR is looking at a facility’s sanction process as it does a comprehensive audit, it will be helpful if an organization can show instances where it has sanctioned people. Having those policies updated and in place will be valuable for the HIPAA audits.
Without a risk analysis, covered entities won’t know where they are in terms of security, which can be a big problem in terms of privacy and security. Healthcare organizations need to take a comprehensive look at risk and do so periodically. From there, it will be easier to look at all of the different areas of risk and different types of information going out of the organization. Moreover, healthcare facilities can better keep track of new technology coming into the organization.
HHS has also handed out numerous fines over the past year because healthcare organizations have not had proper risk analyses or policies. However, having administrative safeguards in place in combination with other safeguards will make it easier for employees at all levels to both prevent and react to a health data breach.