Risk Assessment & HIPAA
The requirement for Covered Entities to carry out a HIPAA risk assessment is not a new provision of the Health Insurance Portability and Accountability Act. The requirement was first brought in in 2003 in the original HIPAA Privacy Rule, and subsequently widened to cover the administrative, physical and technical safeguards of the HIPAA Security Rule.
In 2013, the Final Omnibus Rule amended the HIPAA Security Rule and breach notification clauses of the HITECH Act. The new regulations further extended the obligation to conduct a HIPAA risk assessment to Business Associates, and also increased the amount a Covered Entity or Business Associate could be fined for non-compliance with HIPAA legislation.
The Failure to Carry out a HIPAA Risk Assessment Can be Expensive
The extent of fines for non-compliance with HIPAA has historically depended on the number of patients damaged by a breach of protected health information (PHI) and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing that organizations have an obligation to secure PHI.
More recently, the majority of fines have been classified as “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard their patients´ personal data. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to groups failing to identify where dangers to the integrity of PHI were present.
However, since the beginning of the second round of HIPAA audits, fines have also been sanctioned for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been completed at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.
More Than Large Medical Organizations in the Firing Line
Although most headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also reviewed by the Office for Civil Right (OCR) or subject to HIPAA audits. Since 2009, OCR has received reports of 181,000 PHI violations. Less than 1% of these relate to breaches involving 500 patients’ records or over.
A major problem for small and medium sized medical clinics is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to review the breach, the cost of repairing public confidence in the medical practice, and the cost of supplying credit monitoring services for patients. Insurers may also limit their coverage in relation to the nature of the HIPAA violation and the level of negligence.
Without insurance coverage, the cost of a HIPAA breach could possibly close a small medical practice. However this can be prevented by conducting a HIPAA risk assessment and then implementing measures to fix any uncovered security flaws. An assessment can be complex and time-consuming, but the alternative is possibly terminal to small medical practices and their Business Associates.
Every group that creates, receives, maintains, or shares PHI has to conduct an accurate and thorough HIPAA risk assessment in order to adhere with §164.308 of the HIPAA Security Rule. Even if you organization does not create, receive, maintain, or send PHI electronically (ePHI), a HIPAA risk assessment must still be compiled to adhere with the requirements of the HIPAA Privacy Rule.
This condition of HIPAA compliance not only applies to medical centers (Covered Entities). Business Associates, consultants and vendors must also carry out a HIPAA risk assessment if they have contact with any Personally Identifiable Information. Similarly to Covered Entities, financial penalties for non-compliance can be issued by OCR against Business Associates for potential breaches of PHI.
What a HIPAA Risk Assessment Should Incorporate
The US Department of Health & Human Services (HHS) says that there is no specific risk analysis methodology. This is due to Covered Entities and Business Associates varying massively in size, complexity and capabilities. However, HHS does provide an objective of a HIPAA risk assessment – to spot potential dangers and flaws to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains, or shares.
In order to achieve these objectives, the HHS suggests an group should:
- Say where PHI is stored, received, maintained or transmitted.
- State and document potential threats and vulnerabilities.
- Review current security measures used to safeguard PHI.
- Review whether the current security measures are used properly.
- Estimate the likelihood of a “reasonably anticipated” threat.
- Calculate the potential impact of a breach of PHI.
- Allocate risk levels for vulnerability and impact combinations.
- Record the assessment and take action where necessary.
A HIPAA risk assessment is not a one-time occurence. Assessments should be reviewed constantly and as new work practices are implemented or new technology is introduced. HHS does not give guidance on the frequency of reviews other than to suggest they may be carried out annually depending on a group’s circumstances.
HIPAA Privacy Risk Assessment
Due to the obligation for Business Associates to conduct risk assessments being introduced in an update to the HIPAA Security Rule, many Covered Entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is just as important as a security risk assessment, but can be a much larger undertaking depending on the size of the group and the nature of its business.
In order to finish a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first duty it is to identify organizational workflows and get a “big picture” view of how the HIPAA Privacy Rule will impact the group’s operations. Thereafter the Privacy Officer needs to detail the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may happen.
The last stage of a HIPAA privacy risk assessment should be the creation and implementation of a HIPAA privacy compliance program. The program should list policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as proposed by the HHS (above) as new work practices are implemented or new technology is introduced.
Creating a Risk Management Plan and Implementing New Procedures
A HIPAA risk assessment should show as any areas of an organization´s security that need attention. Organizations then need to gather a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and put in place new procedures and policies where necessary to close the vulnerabilities most likely due to a breach of PHI.
The risk levels given to each vulnerability will give a group direction on the priority that each vulnerability needs to be given. The group can then create a remediation plan to tackle the most critical flaws first. The remediation plan should be bolstered with new procedures and policies where necessary, and proper workforce training and awareness programs.
It has been noted by OCR that the most witnessed reason why Covered Entities and Business Associates fail HIPAA audits is because of a lack of processes and policies – or inadequate policies and procedures. It is important that the appropriate processes and policies are put in place in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment.
Tools to Help with a HIPAA Risk Assessment
Completing a HIPAA risk assessment on every aspect of a group’s operations – regardless of its size – can be complex. This is very true for small medical practices with limited resources and no previous experience of adhering with HIPAA regulations. Consequently, in 2014, OCR made available a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment.
The SRA tool is very helpful in helping groups identify some locations where weaknesses and vulnerabilities may be present – but not all. In the User Guide accompanying the software, it is stated at the start of the document “the SRA tool is not a guarantee of HIPAA compliance”. Furthermore, although the tool consists of 156 questions relating to the confidentiality, availability and integrity of all PHI, there are no suggestions on how allocate risk levels or what policies and procedures to introduce.
Much the same applies to other third-party tools that can be located online. They may also help organizations identify some weaknesses and vulnerabilities, but not supply a fully-compliant HIPAA risk assessment. Indeed, many third-party vendors release disclaimers in the small print of their terms and conditions similar to that at the start of the SRA tool User Guide. The conclusion is that tools to help with a HIPAA risk assessment can be useful, but are not complete solutions.