Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Risk Analysis
Policy Number: IS-02 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Policy and Privacy Services Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
I. Background and Purpose
Risk analysis is a process that can be used to identify possible threats and vulnerabilities with respect to the security of e-PHI, and to identify possible ways to reduce the associated risk. Once the risk baseline is determined via an initial analysis, the risk management process allows for the application of policy and technology in order to reduce, mitigate or manage the risk. As required by the final HIPAA Security Rule, Drexel University (DU) has conducted a risk analysis and is creating and implementing policies and procedures that are designed to balance its ability to keep electronic protected health information (e-PHI) confidential and true to its source with the availability of e-PHI to support the healthcare process.
Risk Management includes three components:
- Risk Assessment, which is the process to determine level of risks;
- Risk Mitigation, which is the process to decrease the determined level of risks; and
- Evaluation and Assessment, which is the process to monitor and take action to maintain the decreased level of risk.
DU recognizes the importance of risk analysis and risk management functions. As such, it has focused time and resources to develop an effective risk management process involving individuals at all levels of the organization. Risk management validates the effectiveness of a chosen policy and/or solutions in serving to balance the protection of confidentiality of e-PHI with the ability to make it available to support patient care and related health care processes.
The Security Officer together with the Privacy Officer directed the initial risk analysis by following the steps outlined in this policy and procedure.
IV. Risk Assessment
- Gathered documentation related to the current processes safeguarding e-PHI. Information gathered included:
- Administrative Safeguards and workforce policies and procedures relating to electronic information;
- Physical Safeguards or physical measures designed to protect buildings and equipment where information systems are housed;
- Technical Safeguards; and
- Documented flow of protected health information from initial creation, through to use and disposal. This included form and content of all systems, subsystems, databases, and names.
- All information gathered was considered in accordance with the following factors:
- DU's size, complexity, and capabilities;
- DU's technical infrastructure, hardware, software, and security capabilities;
- Costs of security measures; and
- Probability and criticality of potential risks to e-PHI. Potential risks or threats were thoroughly evaluated.
- Determined whether each implementation specification identified in the HIPAA Security Rule is required or addressable. For those implementation specifications that are addressable, DU considered the following:
- DU's special or general risk analysis responses;
- Current measures in place;
- Applicability in size of organization; and
- Cost implementation.
- Documented how DU has chosen to implement each specification or an alternative security measure or whether it has determined it will not implement anything if the specification is not reasonable and appropriate, but the standard can still be met.
- All information gathered will be organized, maintained securely and retained in accordance with DU's documentation policies (at least six years from the initial date of creation or the date when it last was in effect whichever is greater). This includes documentation supporting "further assessment" activities in support of "Addressable" Implementation Specifications.
V. Risk Mitigation
- DU continues to improve the information security posture of its network following a major risk analysis performed in the Fall of 2003.
- DU has migrated to a self-managed network. It has also contracted for a new billing system and electronic medical record system (EMR) to reside on the new network.
- DU has installed building alarms and zone protection.
- DU has established firewalls where appropriate, applied server operating system updates as needed, and added data port security.
- DU logs and tracks authorized and unauthorized access to all parts of its computer network.
- DU's computer system automates paper access to authorized personnel and denies access to unauthorized personnel.
- Physical access to e-PHI is protected by keys, and/or keypad coded alarm systems and monitored at all times.
- The Security Officer continues to perform periodic risk assessments in the context of system installation and software application installation and maintains system corruption and utilization monitoring.
- On an ongoing basis, DU continually evaluates and assesses security risks and makes determinations about appropriate risk management and mitigation functions.
45 CFR §164.308(a)(1)(ii)(A) & (B)
Cross-Reference: IS-01, Access to e-PHI on DU Information Systems
Back to Top