HIPAA Core Policy: Risk Analysis and Management of ePHI

HIPAA Core Policy: Risk Analysis and Management of ePHI

Abstract:
This policy establishes guidelines for ongoing risk analysis and management of ePHI, which will assist in determining the value of assets and the corresponding exposure to threats and vulnerabilities.
Effective Date:
8/22/2012
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish guidelines for risk analysis and management of ePHI. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities. Information produced during the risk assessment will be utilized to determine and manage countermeasures critical for assurance of our ePHI resources.

 

2. PHILOSOPHY: It is our belief that security of our ePHI resources can only come from an effective risk management program which includes continual assessment and the mitigation of discovered risks.

 

3. APPLICABILITY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or “UAB/UABHS/UAHSF".

 

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Data Security Officer – A designated individual responsible for the management of information security. Currently both the Campus and the UAB Health System operate data security offices.

4.1.2. Electronic Protected Health Information (ePHI): PHI stored or transmitted electronically.

4.1.3. HIPAA Security Officer – A designated individual responsible for HIPAA related data security issues.

4.1.4. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
4.2. Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact on confidentiality, integrity and information availability.
4.3. Risk Analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a UAB Covered Entity.

4.4. Risk Management: The implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

  • Ensure the confidentiality, integrity, and availability of all ePHI the UAB Covered Entity creates, maintains, receives, or transmits;
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules; and
  • Ensure compliance with the HIPAA Security Rule.

 


5. STANDARDS:

5.1. Covered entities who maintain or transmit ePHI shall:

5.1.1. Conduct and document a thorough risk analysis a minimum of every two years in coordination with the HIPAA Security Officer and the Entity Security Coordinator.

5.1.1.1. Exceptions to the two year analysis include:

5.1.1.1.1. Prior to substantial changes in the environment a risk assessment or impact analysis must be conducted.

5.1.1.1.2. The occurrence of an event or incident warranting the reevaluation of risks requires an immediate risk assessment.
5.1.2. Conduct and document risk analysis, consisting of the following minimal components:
5.1.2.1. Asset inventory,
5.1.2.2. Data criticality analysis,

5.1.2.3. Threat assessments,

5.1.2.4. Determination of risk exposures, and

5.1.2.5. Development of a risk mitigation strategy.

5.1.2.6. Maintain a written record of the analysis/assessment for 6 years.
5.1.3. Submit the risk assessment findings and the mitigation strategy to the appropriate data security office within 30 days of concluding their assessment. The appropriate data security office shall forward a copy of the risk assessment findings to the HIPAA Security Officer.
5.1.4. In collaboration with the appropriate data security office, implement measures to remediate vulnerabilities and sufficiently reduce risk exposure within 90 days of concluding their assessment.
5.1.5. Document the remediation activities.
5.1.6. Submit the risk remediation plan to the appropriate data security office who shall forward a copy of the mitigation plan to the HIPAA Security Officer.
5.1.7. Provide written exemption or extension requests for any vulnerability that, due to business or technology constraints, it cannot remediate in the allotted time (5.1.4). All such requests must be approved by the appropriate data security office, HIPAA Security Officer and Risk Management.
5.2. Data produced from the risk assessment shall be kept confidential.
5.3. Violations of these standards may result in disciplinary action, up to and including, dismissal.

5.4. Business Associates must comply with UAB standards applicable to the nature of their work with UAB. Business Associates or contractors who do not follow the above standards shall be subject to breach of contract penalties, possible legal prosecution, and other legal remedies/ramifications as available to UAB.

5.5. All business associates shall be required to sign a business associate agreement approved by UAB/UABHS/HSF Legal Counsel.

 


6. REFERENCES: None.

 

7. SCOPE: This standard applies to all UAB entities covered under HIPAA and systems that maintain ePHI, and all Business Associates.

 

8. ATTACHMENTS: None.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.