This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009.
What is Required
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of Security Standards for the Protection of Electronic Protected Health Information.
Periodically evaluate the covered entity’s technical and non-technical security policies and procedures.
What This Means for the Covered Entity
The covered entity must be proactive in analyzing risks to electronic protected health information and its business operations as risks and its business environment changes. For example, if a covered entity updates its electronic hardware from a single workstation to multiple workstations on a network, its risk profile likely will change. Evaluation and vigilance on a regular basis are key attributes of risk mitigation.
A covered entity should evaluate its security policies and procedures at least annually and when it experiences a change in its electronic systems and their configuration. The goal is for the covered entity to consistently maintain acceptable levels of risk related to safeguarding of electronic protected health information, based on the covered entity’s evaluation of risks. If the covered entity determines that levels of risk are not acceptable, the covered entity is required to initiate changes to achieve acceptable levels of risk.
What to Do
A covered entity must decide how it will perform its evaluation responsibilities under the Security Rule. It could do the evaluation internally or outsource that responsibility to a third party business associate, such as an accreditation entity.
How to Do It
The covered entity’s Security Official should prepare an evaluation plan. The plan format can be based on the risk analysis format used in the initial required risk assessment. This format also can be used for subsequent evaluations of risk exposures and changes in risk due to changes in electronic systems or business operations.
For an internal evaluation, the Security Official can create an evaluation committee of workforce members and designate evaluative tasks and functions to key committee members for scheduled review to ensure compliance with the Security Rule evaluation standard.
The Security Rule recognizes in the preamble to the final rule that cost may be a consideration in how a covered entity chooses to evaluate its protection of electronic protected health information. This may be an important consideration for relatively small covered entities, but it does not eliminate the requirement to comply.
An important resource to use for the covered entity to use for its internal evaluation, or to recommend to a third party business associate for use in an external evaluation, is from the National Institute of Standards and Technology (NIST): An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST Special Publication 800-66, Revision 1. October 2008.
Remember, acceptable levels of risk in one covered entity may be unacceptable in another covered entity. Hence, evaluation underpins the initial risk analysis and ongoing assessment of risks, and is the means for a covered entity to ensure that it safeguards its electronic protected health information at an acceptable risk level.