The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is one of the Administrative Safeguards of the Security Rule. However, while the requirement relates to identifying risks and vulnerabilities that could impact the confidentiality, integrity, and availability of electronic PHI, it is a best practice to conduct risk assessments for all elements of HIPAA compliance.
The requirement to conduct a HIPAA security risk assessment can be found under the Standard for Security Management Processes (45 CFR § 164.308). The objective of this Standard is to implement policies and procedures to prevent, detect, contain, and correct security violations; and, to identify potential security violations, Covered Entities and Business Associates have to comply with four implementation specifications:
The order of the four implementation specifications is no accident. A HIPAA security risk assessment will identify where risks and vulnerabilities exist so policies and processes can be implemented to mitigate them. Staff have to be trained on HIPAA policies and procedures (under 45 CFR § 164.530), so there needs to be a sanctions policy in place for those who do not comply, while there should also be mechanisms in place to identify non-compliers.
Because different Covered Entities and Business Associates engage in different HIPAA-covered activities, there is no “one-size-fits-all” HIPAA risk assessment template. However, in its guidance for Covered Entities and Business Associates, the Department of Health and Human Services (HHS) uses the same definitions of risks, threats, and vulnerabilities as used by the National Institute of Standards and Technology (NIST) in SP 800-30 “Guide for Conducting Risk Assessments”.
Consequently, HHS suggests Covered Entities and Business Associates should:
HIPAA risk assessments, once completed, should be documented and reviewed periodically. The Security Rule does not specify how often risk assessments should be conducted, but HHS recommends a risk analysis should take place before new technologies are implemented or business operations are revised to reduce the effort required to address risks, threats, and vulnerabilities identified after the implementation of new technology or revision of business operations.
Although there is no direct requirement to conduct a privacy risk assessment under HIPAA, there are multiple examples in which Covered Entities should conduct a risk assessment to identify risks, threats, and vulnerabilities to compliance with the Privacy Rule. One such example appears in the Administrative Requirements of the Privacy Rule (45 CFR § 164.530) in which Covered Entities are required to:
“Reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart”.
To comply with this standard, Covered Entities will have to identify risks, threats, and vulnerabilities to PHI in the same way as they will with ePHI. Thereafter – also in the Administrative Requirements of the HIPAA Privacy Rule – Covered Entities are required to develop policies and procedures to “reasonably safeguard protected health information”, train staff on the policies and procedures, and develop a sanctions policy for staff who fail to comply with the policies and procedures.
Consequently, a privacy risk assessment under HIPAA is practically essential because, without one, Covered Entities will be unable to develop the policies and procedures required by the Administrative Requirements. Similar to the HIPAA risk assessment mandated by the Security Rule, Covered Entities should conduct a privacy risk assessment prior to the implementation of any change in work practices or business operations to prevent unauthorized uses and disclosures.
In 2009, the HIPAA Breach Notification Rule was introduced as part of the changes made to HIPAA Under the HITECH Act. The Breach Notification Rule requires Covered Entities and Business Associates to notify individuals, the Department of Health and Human Services, and – in some cases – the media when a breach of unsecured PHI has occurred. However, exceptions to the notification requirement exist when there is a low probability PHI has been compromised.
The way in which Covered Entities and Business Associates can determine the probability of PHI being compromised is via a HIPAA Privacy Assessment. The HIPAA Privacy Assessment should consider:
Like the security risk assessment, there is no “one-size-fits-all” template for determining whether a breach of PHI should be notified or not. However, the North Carolina Healthcare Information and Communications Alliance has produced a free-to-use risk assessment tool which will guide Covered Entities and Business Associates through the process of conducting a HIPAA Privacy Assessment following a breach of unsecured PHI.
Conducting a HIPAA risk assessment on every element of HIPAA compliance can be time-consuming and complicated. This is particularly true for small medical firms with limited resources and no previous experience of conducting risk assessments. To help Covered Entities and Business Associates comply with this requirement of HIPAA, the HHS´ Office for Civil Rights has published a downloadable Security Risk Assessment tool that can be used to conduct a HIPAA risk assessment.
The SRA tool is ideal for identifying areas in which weaknesses and vulnerabilities. However, in the User Guide that accompanies the tool, it states “the SRA tool is not a guarantee of HIPAA compliance”. Furthermore, while the tool consists of 156 questions relating to the confidentiality, integrity, and availability of all PHI, there are no proposals included on how to designate risk levels or what policies, procedures, and technology will need to be implemented to correct vulnerabilities.
Much the same applies to other third-party tools that can be found online. They may help identify risks and vulnerabilities, but they are no guarantee the HIPAA risk assessment will be comprehensive or compliant. Many third-party vendors have disclaimers stating this. The conclusion is that tools to help with a HIPAA risk assessment can be useful but are not complete solutions for this purpose. If in any doubt about whether your risk assessment meets HIPAA requirements, seek legal advice.
The size of fines for noncompliance with HIPAA has historically depended on the number of patients harmed by a breach of protected health information (PHI) and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, even though fines for these ‘relatively minor’ violations are possible.
However, financial penalties are often deemed necessary in cases of willful neglect of HIPAA Rules. Willful neglect is when the covered entity is aware that HIPAA Rules are not being followed or violated. There are two penalty tiers for willful neglect. Tier 3 involves willful neglect when efforts have been made to correct the violation within 30 days of discovery and tier 4 is when no efforts have been made to correct a violation in a reasonable time frame.
The HIPAA risk assessment – or risk analysis – is one of the most fundamental requirements of the HIPAA Security Rule. There is no excuse for not conducting a risk assessment or not being aware that one is required. Violations of this aspect of HIPAA therefore constitutes willful neglect of HIPAA Rules and is likely to attract penalties in the highest penalty tier.
Many of the highest fines that have been issued by the HHS’ Office for Civil Rights for noncompliance with HIPAA Rules have been for the failure to conduct a risk assessment or the failure to conduct a thorough, organization-wide risk assessment. That included the highest ever HIPAA penalty. The $16,000,000 settlement with Anthem Inc., in 2018.
While you should be looking at all risks to the confidentiality, integrity, and availability of PHI, the top issues investigated by the HHS Office of Civil Rights include impermissible uses and disclosures, access controls, the failure to implement the administrative safeguards of the Security Rule, and disclosures of PHI beyond the minimum necessary.
Covered Entities and Business Associates are required to appoint (or designate the role of) a HIPAA Security Officer. Covered Entities are also required to appoint (or designate the role of) a HIPAA Privacy Officer. It will be the responsibility of these Officers to ensure risk assessments are conducted – even if they don´t conduct them personally.
Technical vulnerabilities relate to information systems, their design, configuration, implementation, and use. Non-technical vulnerabilities may include ineffective or non-existent policies and procedures, the failure to train employees on policies and procedures, or the failure of employees to comply with policies and procedures.
The Administrative Requirements of the Privacy Rule state that Covered Entities must train workforces on policies and procedures “as necessary and appropriate” for members of the workforce to carry out their functions. Consequently, the content of HIPAA training courses should be relevant to workforce functions.
Whereas a HIPAA security risk assessment should focus on the administrative, physical, and technical safeguards of the Security Rule, a HIPAA privacy risk assessment should focus on ensuring that uses and disclosures of non-electronic PHI comply with the requirements of 45 CFR Subpart E – the Privacy of Individually Identifiable Health Information.
Unsecured PHI is Protected Health Information that has not been rendered unusable, unreadable, or indecipherable by encryption. If data taken by an unauthorized individual is encrypted – and the decryption key is secured separately – there is a low probability that PHI has been compromised and, while the breach should still be documented, there is no need to report it to HHS.
One of the simplest ways to determine risk levels in a risk analysis is to assign the likelihood of a risk occurring a number between 1 and 5 and the impact the event would have on the Covered Entity a number between 1 and 5. Then multiply the two numbers together to determine whether the risk level is low, medium, high, or critical.
A risk assessment for all elements of HIPAA compliance should include the Privacy, Security, and Breach Notification Rules – inasmuch as members of the workforce need to know who to report a breach to. Depending on the nature of the organization’s activities, it may also be necessary to include the Administrative Requirements (Part 162 of the Administrative Simplification Regulations).
The risks associated with the Administrative Requirements are purely compliance risks. While non-compliance with the Administrative Requirements will not result in an impermissible disclosure or data breach, if a complaint about non-compliance with this Part is received by the Centers for Medicare and Medicaid Services, the agency has the authority to enforce a Corrective Action Plan and/or issue a civil monetary penalty.
Risks associated with Privacy Rule compliance generally fall into two categories – those relating to individuals´ rights (i.e., access requests, requests for an accounting of disclosures, etc.) and those relating to impermissible uses and disclosures of PHI. It is important that policies and procedures are put in place to ensure compliance with the Privacy Rule and that members of the workforce are trained on the policies and procedures.
Privacy Rule compliance is necessary for Business Associates “with respect to the Protected Health Information of a Covered Entity” (§164.500(c)). Therefore, before a Covered Entity shares PHI with a Business Associate, the Covered Entity must conduct due diligence to ensure the Business Associate has the necessary safeguards in place to protect the privacy of Protected Health Information.
Business Associates only have to comply with the Administrative Requirements if they are performing a service for a Covered Entity covered by 45 CFR Part 162. These services are usually related to eligibility checks, authorizations for treatment, and billing, and compliance with this part is only necessary if an organization conducts these transactions electronically.
The Department for Health and Human Services does not define “reasonable and appropriate” in the context of HIPAA risk assessments. However, “reasonable” is generally interpreted to mean “diligent”, while “appropriate” is relevant to an organization´s “size, capabilities, and complexities, it´s existing technical, hardware, and software infrastructure, and the likelihood and possible impact of potential risks to Protected health Information”.
The sanctions a Covered Entity would apply to a workforce member for a HIPAA violation depend on the nature of the violation, the contents of the Covered Entity´s sanctions policy, and the workforce member´s previous conduct. Generally, a minor HIPAA violation will result in a verbal warning and/or re-training, while a more serious – or repeated – violation could result in termination of contract.
The frequency that an organization should review records of information system activity will be determined by a risk assessment, the technologies already in place to identify anomalies, and the complexity of the organization’s information systems. For example, larger organizations will probably have SIEM systems deployed to automatically detect irregular activity, while a smaller organization might have to outsource reviews to a third-party IT consultant.
The way to calculate the impact of a vulnerability being exploited is to consider what the consequences would be of a specific event. For example, if the organization´s Electronic Health Records were disabled in a ransomware attack due to a vulnerability in password management procedures, the consequences would be the non-availability of PHI.
This would have a significant impact on a healthcare organization’s ability to treat patients; and, even if back-ups of the PHI are available, the organization would have to consider the impact on operations of restoring systems from the back-ups. Therefore, it would be better to address the vulnerability rather than prepare for the consequences.
HIPAA risk assessments should be reviewed at least annually and – as recommended by HHS – before new technologies are implemented or business operations are revised. Additionally, although the responsibility for reviewing risk assessments lies with the privacy or Security Officer who originally conducted the risk assessment, it can be useful to periodically engage a third-party compliance expert to review assessments and analyses to ensure nothing is missed.
Covered Entities can reasonably safeguard PHI in compliance with the Privacy Rule by ensuring all members of the workforce are aware what uses and disclosures of PHI are permitted by the Privacy Rule. Additionally, they should be told via training what uses and disclosures are not permitted by the Privacy Rule without a written authorization from the subject of the PHI.
A HIPAA risk management plan is a plan detailing how an organization identifies risks, assesses the risks, and decides what measures to implement to reduce risks to a reasonable and appropriate level. Thereafter, the plan identifies individual responsibilities for reviewing the HIPAA risk management plan to ensure it is kept up to date and in line with other regulatory requirements (i.e., CMS´ Emergency Preparedness Plan).
The difference between a HIPAA risk assessment and a CMS Emergency Plan risk assessment is that the purpose of HIPAA is to protect the privacy of PHI and ensure the confidentiality, integrity, and availability of ePHI at all times, whereas the purpose of CMS´ Emergency Plan is to safeguard human resources, maintain business continuity, and protect physical resources in an emergency or natural disaster.
The five principles of a HIPAA risk assessment are the same as any other type of risk assessment. 1. Identify risks and vulnerabilities. 2. Assess the risks and vulnerabilities. 3. Control the risks and vulnerabilities (to a reasonable and appropriate level). 4. Document the findings and the actions taken. 5. Review the risk assessment.
The flexibility of approach in the Security Rule is a standard in the General Rules (§164.306) which allows Covered Entities and Business Associates to decide what security measures to implement to comply with the Administrative, Physical, and Technical Safeguards. The reason it exists is because HIPAA is technology neutral and does not favor one type of security measure over another.
In the Security Rule, termination procedures relate to removing an individual’s access to ePHI when they leave the organization or move to another role within the organization which does not have the same access requirements. For example, if a healthcare professional leaves to work in another hospital, their login credentials have to be deleted from systems to prevent the healthcare professional logging in remotely or another employee using their credentials fraudulently.
If an employee violates HIPAA and no risk assessment has been conducted, it does not necessarily mean the Covered Entity or Business Associate is at fault. Covered Entities and Business Associates would only be expected to assess risks associated with reasonably foreseeable events; and, if the HIPAA violation was not reasonably foreseeable, the employee will likely be held accountable.
However, if the event that led to the HIPAA violation was reasonably foreseeable – and either it was omitted from the risk assessment or the decision was made not to safeguard against it happening – accountability will be determined by the nature of the event and whether the actions of the employee were unreasonable and inappropriate in the circumstances.