HIPAA Security Management Process: 4 Steps to Administrative Compliance

Protecting electronic protected health information (ePHI) requires organizations to follow strict administrative safeguards under the HIPAA Security Management Process. These safeguards give teams a structured way to identify risks, make decisions, and take action to keep ePHI secure. These four required steps help covered entities and business associates meet their HIPAA Security Rule obligations.

What does HIPAA require from organizations that handle electronic health information?

HIPAA requires covered entities and business associates to follow security standards that protect ePHI across their systems.

The protection of health information has been a national concern for decades. Everyone wants to know that when they see the doctor, go to the hospital, or visit a clinic, the details of that visit will be kept secure. Most individuals would be concerned if their private health records were in the hands of someone other than who they intended.

These concerns have spanned into security standards for health information mandated within the Health Insurance Portability and Accountability Act ("HIPAA") of 1996. They have continued to grow and expand their regulatory requirements since the beginning of the 21st century. See how regulators define these safeguards, review the U.S. Department of Health & Human Services guidance on HIPAA Security Standards.

Within HIPAA, organizations that manage Electronic Protected Health Information ("ePHI") are identified as covered entities and business associates ("entities"). The HIPAA security regulations require the entities handling these electronic records to comply with Security Standards 45 CFR § 164.306.

The Security Standards (sometimes referred to as the HIPAA Security Rule), contains the following primary components:

§ 164.308 Administrative safeguards.

§ 164.310 Physical safeguards.

§ 164.312 Technical safeguards.

§ 164.314 Organizational requirements.

§ 164.316 Policies and procedures and documentation requirements.

Why is the HIPAA Security Management Process important?

The Security Management Process provides the required structure for identifying, evaluating, and responding to risks to ePHI.

If your organization is a newly covered entity or business associate, it's crucial to understand and complete the HIPAA Security Management Process.

Even if your organization has been subject to these regulations for a long time, continuous monitoring and ongoing assessment requirements can take significant time and resources.

You can explore how these requirements fit into a broader compliance framework in our overview of Governance, Risk, and Compliance (GRC).

What steps make up the HIPAA Security Management Process?

The HIPAA Security Management Process contains four required steps:

Risk Analysis

Risk Management

Sanction Policy

Information System Activity Review.

Step 1: What is the HIPAA Security Risk Analysis?

The HIPAA Security Risk Analysis is the first step in the Security Management Process.

Covered entities and business associates must ensure they are securing all ePHI created, transmitted, received, maintained, and stored.

Outlined within the HIPAA Administrative Safeguards is a Security Management Process detailing the regulatory steps to help achieve compliance to the Security Rule 45 CFR § 164.308 (a)(1)(i)(ii).

The HIPAA Security Risk Analysis ("SRA") requires entities who hold ePHI to perform an assessment 45 CFR § 164.308 (a)(1)(i)(ii)(A) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI across all information systems.

The assessment is the first step of the Security Management Process.

Risk Assessment

The scope and completion of the Risk Assessment are defined by the size and complexity of the entity. The assessment should identify how the entity manages security risks throughout the organization.

An in-depth review includes identifying and gathering data, policies, and processes, performing vulnerability scans and understanding the organization's dependence on external systems and vendors.

Guidance from the Office of the National Coordinator for Health Information Technology (ONC) breaks the SRA into several sections.

These include an in-depth review of:

Security Policies, Procedures, and other Documentation

System User Access

Workforce training

Data

Physical Security

Vendors

Business Continuity Plans

Continued Risk Assessment

After the completion of the assessment, there should be documentation of how the organization manages or mitigates security risks.

The assessment will provide a roadmap for the entity to update and implement any additional security policies, procedures, and processes to prevent, detect, contain, and remediate potential security risks. Any identification of outstanding issues should have a plan for remediation.

HIPAA Risk Assessments should be performed periodically (e.g. annually) and when there are modifications to applicable regulations, policies, and procedures. Entities are permitted and often opt to outsource the Risk Assessment to third-party vendors specializing in HIPAA and ePHI security compliance.

Learn more about the HIPAA Security Risk Assessment.

Step 2: HIPAA Security- Risk Management

Risk Management applies the results of the Risk Analysis to reduce risks and support ongoing compliance.

The next step of the Security Management Process is Risk Management.

A Risk Management Program is a proactive implementation of security policies, processes, and systems designed to sufficiently reduce risk and vulnerabilities to ePHI. The Risk Analysis is a check against the Risk Management Program to determine if it is effective.

Any recommendations from the Risk Analysis should be evaluated and added to a Risk Management Plan. Items on the plan will be reviewed for potential modification, implementation, or mitigation to current processes. Each time there is an updated Risk Assessment, a potential exists for the Risk Management Program to require modification.

The required implementation for Risk Management is covered in CFR § 164.308 (a)(1)(ii)(i)(B).

Step 3: HIPAA Security- Sanction Policy

The Sanction Policy defines how the organization responds when workforce members violate security policies related to ePHI.

The entity is required to train and supervise all workforce members on how to follow security policies and procedures when working with ePHI. The third step of the Security Management Process is designed to address workforce members who violate the security policies and procedures. The entity is required to define what sanctions will occur if a workforce member has violated the policies. This can include termination of the employee.

Sanction Policy requirements are listed in CFR § 164.308 (a)(1)(ii)(i)(C))

Step 4: HIPAA Security- Information System Activity Review

The Information System Activity Review outlines how entities monitor access, review audit logs, and identify potential security incidents.

The final step of the Security Management Process is the ongoing evaluation of the Risk Management Program. The entity must develop processes for the continued review of the policies and procedures developed from the Risk Management Program.

These processes require:

Maintaining audit logs

Setting review frequency

Defining how to detect security incidents

There should also be a policy on how often the logs are reviewed and a description of how to detect security incidents CFR § 164.308 (a)(1)(ii)(i)(D)).

HIPAA covered entities and business associates are required to have continuous monitoring programs in place to identify vulnerabilities and potential risks. Entities are also required to evaluate the effectiveness of the Risk Management Program.

How does Asureti support HIPAA administrative safeguards?

Asureti supports covered entities and business associates with the time, resources, and consistent review practices needed to operate the HIPAA Risk Analysis and ongoing monitoring through our Managed Assurance solution.

‍