What Your Security Risk Assessment Might Uncover: Why Your Server Set-Up Matters

HIPAA regulation sets national privacy and security standards. These standards are fundamental to protecting your office from data breaches and HIPAA violation fines.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

The HIPAA Security Rule mandates covered entities (CEs) to perform a security risk analysis as part of your security management process to enable you to implement policies and procedures to prevent, detect, contain, and correct security violations. It is best practices to run a HIPAA Security Risk Assessment annually, since the Security Rule also mandates CEs to establish a plan for periodic technical and nontechnical evaluation of their policies and procedures, especially in response to environmental or operational changes that can affect the security of your electronic protected health information (e-PHI).

As part of your annual HIPAA Security Risk Assessment, we perform a technical evaluation of your security infrastructure. If your server is set-up in a work group versus (vs.) a domain environment, we are unable to assess your full network (i.e. surrounding workstations). As a result, our risk assessment is not able to appropriately assess whether you have and apply reasonable and appropriate controls across your full network.    

Please note that the Security Rule requires CEs to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect e-PHI; therefore, you must decide if setting up your network as a domain is reasonable and appropriate for your practice. However, in order to perform a full network assessment, we strongly urge you to set up your network as a domain, so that you are able to assess if your safeguards prevent, detect, contain, and correct security violations. 

As an alternative to setting up your server on a domain, you should have a local IT professional assess each individual workstation. The IT professional would need a working knowledge of all the HIPAA regulations and possess the requirement tools to accomplish the HIPAA required task on each workstation. It is estimated that a proper assessment would take approximately one hour per workstation.