Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
If protecting the integrity of patient health care information were not already sufficient incentive to improve IT security, being HIPAA compliant comes with even more perks for most providers. Medicare and Medicaid Electronic Health Care Record (EHR) Incentive Programs have been implemented to provide financial incentives to eligible medical professionals and hospitals that demonstrate they have satisfied the requirements of the HIPAA Security Rule.
The core objective of “Protect Electronic Health Information” complements the foundation laid by the HIPAA Security Rule, which outlines how to appropriately guard the administrative, physical, and technical aspects of an organization. Here is a breakdown of the Stage 1 and Stage 2 requirements of this core objective:
Stage 1 dictates that for every program year, eligible professionals, eligible hospitals, or critical access hospitals must conduct or review a security risk analysis and make the necessary updates to remediate any vulnerabilities identified in the assessment.
- A thorough security risk analysis must be in accordance with the administrative safeguards under 45 CFR 164.308(a)(1). This includes an evaluation of the security management policies and procedures, risk analysis, risk management, sanction policy, and information system activity review.
In addition to the satisfaction of Stage 1 requirements, Stage 2 mandates that the encryption and security of all data stored in certified EHR technology (CEHRT) be addressed (45 CFR 164.312 (a)(2)(iv)).
- Should any addressable vulnerabilities be detected during the security risk analysis or encryption process, the appropriate measures must be taken to remediate the security issue. If it is determined that the actions for remediation cannot be implemented, the justification of why it was not reasonable or appropriate should be documented (45 CFR 164.306(d)(3)).
Although every EHR reporting period has a set timeframe, it should be clarified that the requirements of Stage 1 and Stage 2 can be completed at any time during or outside the given scope of time (usually a 90 day period). Essentially a rolling deadline, the security risk analysis just needs to take place some time between January 1st and December 31st of the reporting year. It is also important to note that a thorough security risk analysis usually takes a significant time amount of time, depending on the size of the facility and IT network; so be sure to plan accordingly. A major benefit of using Redspin’s HIPAA Security Risk Analysis services is that our process takes 3 weeks – start to finish.
Remember that whether or not you are participating in an EHR Incentive Program, a HIPAA security risk analysis MUST BE conducted in order to ensure the privacy and security of your patients’ health care information. Meeting these requirements helps prevent cyber attacks, data loss, and security gaps – giving you and your patients the peace of mind everyone needs.