The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is one of the Administrative Safeguards of the Security Rule. However, while the requirement relates to identifying risks and vulnerabilities that could impact the confidentiality, integrity, and availability of electronic PHI, it is a best practice to conduct risk assessments for all elements of HIPAA compliance.
The requirement to conduct a HIPAA security risk assessment can be found under the Standard for Security Management Processes (45 CFR § 164.308). The objective of this Standard is to implement policies and procedures to prevent, detect, contain, and correct security violations; and, to identify potential security violations, Covered Entities and Business Associates have to comply with four implementation specifications:
The order of the four implementation specifications is no accident. A HIPAA security risk assessment will identify where risks and vulnerabilities exist so policies and processes can be implemented to mitigate them. Staff have to be trained on HIPAA policies and procedures (under 45 CFR § 164.530), so there needs to be a sanctions policy in place for those who do not comply, while there should also be mechanisms in place to identify non-compliers.
Because different Covered Entities and Business Associates engage in different HIPAA-covered activities, there is no “one-size-fits-all” HIPAA risk assessment template. However, in its guidance for Covered Entities and Business Associates, the Department of Health and Human Services (HHS) uses the same definitions of risks, threats, and vulnerabilities as used by the National Institute of Standards and Technology (NIST) in SP 800-30 “Guide for Conducting Risk Assessments”.
Consequently, HHS suggests Covered Entities and Business Associates should:
HIPAA risk assessments, once completed, should be documented and reviewed periodically. The Security Rule does not specify how often risk assessments should be conducted, but HHS recommends a risk analysis should take place before new technologies are implemented or business operations are revised to reduce the effort required to address risks, threats, and vulnerabilities identified after the implementation of new technology or revision of business operations.
Although there is no direct requirement to conduct a privacy risk assessment under HIPAA, there are multiple examples in which Covered Entities should conduct a risk assessment to identify risks, threats, and vulnerabilities to compliance with the Privacy Rule. One such example appears in the Administrative Requirements of the Privacy Rule (45 CFR § 164.530) in which Covered Entities are required to:
“Reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart”.
To comply with this standard, Covered Entities will have to identify risks, threats, and vulnerabilities to PHI in the same way as they will with ePHI. Thereafter – also in the Administrative Requirements of the HIPAA Privacy Rule – Covered Entities are required to develop policies and procedures to “reasonably safeguard protected health information”, train staff on the policies and procedures, and develop a sanctions policy for staff who fail to comply with the policies and procedures.
Consequently, a privacy risk assessment under HIPAA is practically essential because, without one, Covered Entities will be unable to develop the policies and procedures required by the Administrative Requirements. Similar to the HIPAA risk assessment mandated by the Security Rule, Covered Entities should conduct a privacy risk assessment prior to the implementation of any change in work practices or business operations to prevent unauthorized uses and disclosures.
In 2009, the HIPAA Breach Notification Rule was introduced as part of the changes made to HIPAA Under the HITECH Act. The Breach Notification Rule requires Covered Entities and Business Associates to notify individuals, the Department of Health and Human Services, and – in some cases – the media when a breach of unsecured PHI has occurred. However, exceptions to the notification requirement exist when there is a low probability PHI has been compromised.
The way in which Covered Entities and Business Associates can determine the probability of PHI being compromised is via a HIPAA Privacy Assessment. The HIPAA Privacy Assessment should consider:
Like the security risk assessment, there is no “one-size-fits-all” template for determining whether a breach of PHI should be notified or not. However, the North Carolina Healthcare Information and Communications Alliance has produced a free-to-use risk assessment tool which will guide Covered Entities and Business Associates through the process of conducting a HIPAA Privacy Assessment following a breach of unsecured PHI.
Conducting a HIPAA risk assessment on every element of HIPAA compliance can be time-consuming and complicated. This is particularly true for small medical firms with limited resources and no previous experience of conducting risk assessments. To help Covered Entities and Business Associates comply with this requirement of HIPAA, the HHS´ Office for Civil Rights has published a downloadable Security Risk Assessment tool that can be used to conduct a HIPAA risk assessment.
The SRA tool is ideal for identifying areas in which weaknesses and vulnerabilities. However, in the User Guide that accompanies the tool, it states “the SRA tool is not a guarantee of HIPAA compliance”. Furthermore, while the tool consists of 156 questions relating to the confidentiality, integrity, and availability of all PHI, there are no proposals included on how to designate risk levels or what policies, procedures, and technology will need to be implemented to correct vulnerabilities.
Much the same applies to other third-party tools that can be found online. They may help identify risks and vulnerabilities, but they are no guarantee the HIPAA risk assessment will be comprehensive or compliant. Many third-party vendors have disclaimers stating this. The conclusion is that tools to help with a HIPAA risk assessment can be useful but are not complete solutions for this purpose. If in any doubt about whether your risk assessment meets HIPAA requirements, seek legal advice.
The size of fines for noncompliance with HIPAA has historically depended on the number of patients harmed by a breach of protected health information (PHI) and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, even though fines for these ‘relatively minor’ violations are possible.
However, financial penalties are often deemed necessary in cases of willful neglect of HIPAA Rules. Willful neglect is when the covered entity is aware that HIPAA Rules are not being followed or violated. There are two penalty tiers for willful neglect. Tier 3 involves willful neglect when efforts have been made to correct the violation within 30 days of discovery and tier 4 is when no efforts have been made to correct a violation in a reasonable time frame.
The HIPAA risk assessment – or risk analysis – is one of the most fundamental requirements of the HIPAA Security Rule. There is no excuse for not conducting a risk assessment or not being aware that one is required. Violations of this aspect of HIPAA therefore constitutes willful neglect of HIPAA Rules and is likely to attract penalties in the highest penalty tier.
Many of the highest fines that have been issued by the HHS’ Office for Civil Rights for noncompliance with HIPAA Rules have been for the failure to conduct a risk assessment or the failure to conduct a thorough, organization-wide risk assessment. That included the highest ever HIPAA penalty. The $16,000,000 settlement with Anthem Inc., in 2018.
While you should be looking at all risks to the confidentiality, integrity, and availability of PHI, the top issues investigated by the HHS Office of Civil Rights include impermissible uses and disclosures, access controls, the failure to implement the administrative safeguards of the Security Rule, and disclosures of PHI beyond the minimum necessary.
Covered Entities and Business Associates are required to appoint (or designate the role of) a HIPAA Security Officer. Covered Entities are also required to appoint (or designate the role of) a HIPAA Privacy Officer. It will be the responsibility of these Officers to ensure risk assessments are conducted – even if they don´t conduct them personally.
Technical vulnerabilities relate to information systems, their design, configuration, implementation, and use. Non-technical vulnerabilities may include ineffective or non-existent policies and procedures, the failure to train employees on policies and procedures, or the failure of employees to comply with policies and procedures.
The Administrative Requirements of the Privacy Rule state that Covered Entities must train workforces on policies and procedures “as necessary and appropriate” for members of the workforce to carry out their functions. Consequently, the content of HIPAA training courses should be relevant to workforce functions.
Whereas a HIPAA security risk assessment should focus on the administrative, physical, and technical safeguards of the Security Rule, a HIPAA privacy risk assessment should focus on ensuring that uses and disclosures of non-electronic PHI comply with the requirements of 45 CFR Subpart E – the Privacy of Individually Identifiable Health Information.
Unsecured PHI is Protected Health Information that has not been rendered unusable, unreadable, or indecipherable by encryption. If data taken by an unauthorized individual is encrypted – and the decryption key is secured separately – there is a low probability that PHI has been compromised and, while the breach should still be documented, there is no need to report it to HHS.
One of the simplest ways to determine risk levels in a risk analysis is to assign the likelihood of a risk occurring a number between 1 and 5 and the impact the event would have on the Covered Entity a number between 1 and 5. Then multiply the two numbers together to determine whether the risk level is low, medium, high, or critical.