• Print

Guide to Privacy and Security of Electronic Health Information

Sample Seven-Step Approach for Implementing a Security Management Process

Illustration of the Sample Seven-Step Approach for Implementing a Security Management Process. The illustration shows there are seven main steps and 10 sub-steps

Chapter 6 of the Guide [PDF - 569 KB] describes a sample seven-step approach for implementing a security management process consistent with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

As you review the approach, keep in mind that the HIPAA Security Rule requirements are broader in scope than those of the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs (also known as “Meaningful Use” Programs).

Also note that Covered Entities (CEs) and Business Associates (BAs) both have responsibilities under the HIPAA Rules. BAs must comply with the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the HIPAA Privacy Rule.

Refer to Chapter 6 of the Guide [PDF - 569 KB] for full discussion of the seven steps summarized below.

Step 1: Lead Your Culture, Select Your Team, and Learn

1A. Designate a Security Officer(s)

Your security officer will be responsible for developing and maintaining your security practices to meet HIPAA requirements. The security officer will work with others to protect your patients’ electronic Protected Health Information (ePHI) from unauthorized access.

1B. Discuss HIPAA Security Requirements with Your EHR Developer

Meet with your EHR developer to understand how your EHR can be used in line with the HIPAA and Stage 1 and Stage 2 Meaningful Use requirements. We provide a list of questions you may want to ask your EHR developer [PDF - 649 KB].

1C. Consider Using a Qualified Professional to Assist with Your Security Risk Analysis

Using a qualified professional can often yield quicker and more reliable results than conducting an in-house risk analysis. If you hire a professional, pick one who has relevant certification and direct experience tailoring a risk analysis for your size of medical practice. You are still ultimately responsible for the risk analysis even if you hire a pro.

1D. Use Tools to Preview Your Security Risk Analysis

Use tools available on the Office of the National Coordinator for Health Information Technology (ONC) and U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) websites. These tools can give you a sense of your practice’s potential shortcomings in Protected Health Information (PHI) security. See the HHS Security Risk Assessment (SRA) Tool and OCR Guidance on Risk Analysis for more help in evaluating your risk level.

1E. Refresh Your Knowledge Base of the HIPAA Rules

Learn about the HIPAA Rules, state laws, and other privacy and security requirements.

1F. Promote a Culture of Protecting Patient Privacy and Securing Patient Information

Privacy and security are best achieved when your office has a culture of confidentiality and PHI protection. Learn more in Chapter 6 of the Guide [PDF - 569 KB].

Step 2: Document Your Process, Findings, and Actions

The HIPAA Security Rule requires you to document your risk analysis and HIPAA-related policies, procedures, reports, and activities. Also, if you are attesting for Meaningful Use, you are required to retain all records that support attestation.

Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)

In the risk analysis process, you assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The findings inform your risk mitigation strategy. A professional can plan and implement your risk analysis, but you will need to oversee the process. See the SRA Tool for guidance.

Step 4: Develop an Action Plan

Using the results from your risk analysis, discuss and develop an action plan. Learn more in Chapter 6 of the Guide [PDF - 569 KB].

Step 5: Manage and Mitigate Risks

5A. Implement Your Action Plan

Your action plan should address all five HIPAA security components. Follow your action plan and support ongoing efforts to identify, assess, and manage risks.

5B. Prevent Breaches by Educating and Training Your Workforce

All of your workforce members — employees, volunteers, trainees, and contractors — need education and training to know how to safeguard patient information. Your training program should prepare them to carry out your HIPAA-related policies and procedures. Reinforce training with reminders. Above all, lead by example.

5C. Communicate with Patients

A multi-pronged communications plan will help you address patient concerns about EHRs and privacy.

  • Inform patients that you place a priority on maintaining the security and confidentiality of their health information.
  • Address patients’ health information rights.
  • Educate patients on how their health information is used and how it may be shared outside your practice.
  • Follow your policies and procedures in notifying affected patients and caregivers when a breach of unsecured PHI occurs.

5D. Update Your BA Contracts

Update all your Business Associate (BA) agreements to comply with the HIPAA Privacy, Security, and Breach Notification Rules. OCR offers sample BA contract provisions.

Step 6: Attest for Meaningful Use Security-Related Objective

You can register for the Meaningful Use Programs anytime, but to attest, you must meet the Meaningful Use requirements for an EHR reporting period. So, only attest after you have conducted your security risk analysis (or reassessment), corrected any identified issues, and documented those changes.

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis

The HIPAA Security Rule requires that you have audit controls in place and have the ability to audit. Have your security officer, Information Technology (IT) administrator, and EHR developer work together so your system’s monitoring/audit functions are active and configured to your needs. Set up your EHR to maintain an audit log on who, what, when, where, and how your patients’ ePHI has been accessed.



This Guide is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers and professionals to seek expert advice when evaluating the use of this Guide.