New tool helps EHR users assess HIPAA compliance

The National Institute of Standards and Technology (NIST) has developed a new software application downloadable for free to help covered entities and others determine if they're meeting HIPAA's security requirements.

The new application is a self-assessment tool that identifies areas where security safeguards for electronic protected health information (ePHI) may be needed or improved. HIPAA's security rule requires organizations to protect ePHI created, received, used or maintained by a covered entity, using technical, physical, administrative, and organizational safeguards, such as passwords, firewalls, access control and employee discipline policies.

Since all of the information in an electronic health record is ePHI, the tool can help protect the data in an EHR, as well as help EHR users comply with the HIPAA security rule. Conducting a risk assessment of the security of the ePHI--a HIPAA security rule requirement--also is a critical component of meeting the Meaningful Use requirements under the EHR incentive program.

The tool, which was developed with funds from the 2009 American Recovery and Reinvestment Act, uses a dashboard and outlines 984 questions, addressing the 45 implementation specifications in the security rule covering the safeguards as well as the policies and procedures organizations should have to protect the data. The questions, which are rather detailed, include:

  • Does your organization record each time ePHI is viewed, modified, deleted or created in an audit tool to support audit and other business functions?
  • Has your organization inventoried your electronic tools for automatic log off capabilities?
  • Has your organization developed a training schedule for your risk management program?
  • Has your organization developed and implemented policies and procedures that address the disposal of ePHI and/or the hardware?

To learn more:
- here's the press release
- read the HIPAA Security Rule Toolkit user guide (.pdf)