The requirement for Covered Entities to complete a HIPAA risk assessment is not a new aspect of the Health Insurance Portability and Accountability Act. The requirement was first brought into being in 2003 in the first HIPAA Privacy Rule, and subsequently enhanced to cover the administrative, physical and technical security measures of the HIPAA Security Rule.
In 2013, the Final Omnibus Rule amended the HIPAA Security Rule and specific breach notification clauses of the HITECH Act. The new regulations further enhanced the requirement to conduct a HIPAA risk assessment to Business Associates, and also increased the monetary fine a Covered Entity or Business Associate could be hot with for non-compliance with HIPAA regulations.
The size of fines for non-compliance with HIPAA has historically depended on the number of patients harmed by a breach of protected health information (PHI) and the level of negligence that occurred. Few fines are now applied in the lowest “Did Not Know” HIPAA breach category, because there is little excuse for not being aware that organizations have an obligation to safeguard PHI.
In recent times, most fines have been under the “Willful Neglect” HIPAA violation category, where organizations were aware – or should have known – they had a responsibility to protect their patients´ personal information. Many of the highest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – resulted from to organizations failing to see where risks to the integrity of PHI were present.
However, since the beginning of the second phase of HIPAA audits, fines have also been applied for potential breaches of PHI. These are where weaknesses in an organization´s security have not been found by a HIPAA risk assessment, or where no assessment has been completed at all.
Although most of the headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are lots of small medical practices investigated by the Office for Civil Right (OCR) or subject to HIPAA audits. Since 2009, OCR has been made aware of 181,000 PHI breaches. Less than 1% of these relate to breaches involving 500 patients’ records or higher.
A major issue for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA violation. The cost of a HIPAA breach not only incorporates the fine, but also the expense of hiring IT specialists to investigate the breach, the cost of repairing public confidence in the medical practice, and the cost of supplying credit monitoring services for patients. Insurers may also restrict their coverage in relation to the nature of the HIPAA violation and the level of negligence.
Without insurance coverage, the expense of a HIPAA breach could potentially shut down a small medical practice. However this case can be avoided by conducting a HIPAA risk assessment and then adapting measures to fix any uncovered security weaknesses. An assessment can be complicated and time-consuming, but the alternative is potentially explosive to small medical practices and their Business Associates.
The US Department of Health & Human Services (HHS) admits that there is no specific risk analysis methodology. This is due to Covered Entities and Business Associates varying greatly in size, complexity and capabilities. However, HHS does give an objective of a HIPAA risk assessment – to identify potential dangers and weaknesses to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains, or sends.
In order to achieve these targets, the HHS suggests an group should:
A HIPAA risk assessment is not a one-off exercise. Assessments should be reviewed constantly and as new work practices are adapted or new technology is introduced. HHS does not give guidance on the frequency of reviews other than to suggest they may be completed every year depending on an organization´s circumstances.
Due to the obligation for Business Associates to conduct risk assessments being introduced in an update to the HIPAA Security Rule, many Covered Entities and Business Associates overlook the necessity to complete a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is every much as important as a security risk assessment, but can be a much bigger undertaking depending on the size of the group and the nature of its business.
In order to conduct a HIPAA privacy risk assessment, an organization should hire a Privacy Officer, whose first duty it is to identify organizational workflows and get a “big picture” view of how the HIPAA Privacy Rule will affect the organization´s operations. Thereafter the Privacy Officer needs to track the flow of PHI both internally and externally in order to complete a gap analysis to identify where breaches may be experience.
The last stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance strategy. The program should incorporate policies to tackle the risks to PHI identified in the HIPAA privacy risk assessment and should be examined as suggested by the HHS (above) as new work practices are put in place or new technology is introduced.
A HIPAA risk assessment should uncover any areas of an organization´s security that need to be addressed. Organizations then need to formulate a risk management plan in order to address the flaws and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to address the vulnerabilities most likely to lead to a breach of PHI.
The risk levels designated to each vulnerability will give an organization direction on the priority that each vulnerability needs to be assigned. The organization can then create a remediation plan to close the most critical vulnerabilities first. The remediation plan should be complemented with new processes and policies where required, and appropriate staff training and awareness programs.
It has been commented by OCR that the most frequent reason why Covered Entities and Business Associates fail HIPAA audits is because of a lack of processes and policies – or inadequate policies and procedures. It is crucial that the appropriate procedures and policies are adapted in order to enforce changes to the workflow that have been introduced due to the HIPAA risk assessment.
Completing a HIPAA risk assessment on every element of an organization´s operations – not matter how big it is – can be complicated. This is particularly true for small medical firms with limited resources and no previous experience of complying with HIPAA regulations. Consequently, in 2014, OCR published a downloadable Security Risk Assessment (SRA) tool that aids small and medium sized medical practices with the compilation of a HIPAA risk assessment.
The SRA tool is ideal for helping organizations identify some locations where weaknesses and vulnerabilities may be present – but not all. In the User Guide with the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. Additionally, although the tool consists of 156 questions relating to the confidentiality, availability and integrity of all PHI, there are no proposals on how designate risk levels or what policies and procedures to introduce.
Much the same applies to other third-party tools that can be found on the online. They may also help organizations find some weaknesses and flaws, but not provide a fully-compliant HIPAA risk assessment. Indeed, many third-party vendors release disclaimers in the small print of their terms and conditions similar to that at the start of the SRA tool User Guide. The conclusion is that tools to help with a HIPAA risk assessment can be useful, but are not complete solutions for this purpose.