The requirement for Covered Entities to complete a HIPAA risk assessment is not a new aspect of the Health Insurance Portability and Accountability Act. The requirement was first brought into being in 2003 in the HIPAA Privacy Rule, and subsequently enhanced to cover the administrative, technical, and physical security measures with the enactment of the HIPAA Security Rule.
In 2013, the Final Omnibus Rule amended the HIPAA Security Rule and introduced the breach notification clauses of the HITECH Act. The changes also included the requirement for business associates to conduct a HIPAA risk assessment, while increasing the fines for noncompliance with HIPAA regulations.
The size of fines for noncompliance with HIPAA has historically depended on the number of patients harmed by a breach of protected health information (PHI) and the level of negligence was involved, among other factors. Few fines are now applied in the lowest “Did Not Know” HIPAA violation category, even though fines for these ‘relatively minor’ violations are possible.
However, financial penalties are often deemed necessary in cases of willful neglect of HIPAA Rules. Willful neglect is when the covered entity was aware that HIPAA Rules were not being followed or were violated. There are two penalty tiers for willful neglect. Tier 3 involves willful neglect when efforts have been made to correct the violation within 30 days of discovery and tier 4 is when no efforts have been made to correct a violation in a reasonable time frame.
The risk assessment – or risk analysis – is one of the most fundamental requirements of the HIPAA Security Rule. There is no excuse for not conducting a risk assessment or not being aware that one is required. Violations of this aspect of HIPAA therefore constitutes willful neglect of HIPAA Rules and is likely to attract penalties in the highest penalty tier.
Many of the highest fines that have been issued by the HHS’ Office for Civil Rights for noncompliance with HIPAA Rules have been for the failure to conduct a risk assessment or the failure to conduct a thorough, organization-wide risk assessment. That included the highest ever HIPAA penalty. The $16,000,000 settlement with Anthem Inc., in 2018.
Although most of the headlines relating to HIPAA violations and financial penalties concern large healthcare organizations, small medical practices are also investigated by the Office for Civil Rights (OCR) and have been subjected to compliance reviews following data breaches or complaints.
A major issue for small and medium sized medical practices is not all insurance carriers cover the cost of a HIPAA violation penalty and the associated costs of a breach. The cost of a HIPAA breach not only incorporates the fine, but also the expense of hiring IT specialists to investigate the breach, the cost of repairing public confidence in the medical practice, and the cost of supplying credit monitoring and identity theft protection services to patients. Insurers may also restrict their coverage in relation to the nature of the HIPAA violation and the level of negligence.
The risk assessment is one of the most important actions to take, not just to ensure compliance with HIPAA, but also to prevent data breaches. The purpose of a risk assessment is to identify all threats to the confidentiality, integrity, and availability of PHI and vulnerabilities that could potentially be exploited by threat actors to access and steal patient information. Once identified the risks can be managed and reduced to a reasonable and acceptable level.
The US Department of Health & Human Services (HHS) admits that there is no specific risk assessment methodology. This is due to Covered Entities and Business Associates varying greatly in size, complexity, and having vastly different infrastructure. To achieve the purpose of a risk assessment, healthcare organizations should make sure that their risk assessment includes the following elements:
A HIPAA risk assessment is not a one-off exercise. Assessments should be reviewed regularly and conducted again when new work practices are adopted, new technology is introduced, and when there are updates to HIPAA regulations. The HHS does not state how often risk assessments should be conducted, other than suggesting that it is a good best practice to perform a risk assessment annually.
Many Covered Entities and Business Associates overlook the necessity to complete a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is every much as important as a security risk assessment, but can be a much bigger undertaking depending on the size of the organization and the nature of its business.
A HIPAA privacy risk assessment should be conducted by the HIPAA Privacy Officer, the appointment of whom is a requirement of the HIPAA Security Rule administrative safeguards. One of the first duties of a HIPAA Privacy officer is to identify organizational workflows and get a “big picture” view of how the HIPAA Privacy Rule affects the organization’s operations. Thereafter, the Privacy Officer needs to track the flow of PHI both internally and externally and should conduct a gap analysis to identify where breaches may be experienced.
The last stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance strategy. The program should incorporate policies to tackle the risks to PHI identified in the HIPAA privacy risk assessment. The privacy risk assessment should be conducted again following the introduction of new work practices and when new technology is implemented.
A HIPAA risk assessment should uncover any areas of an organization’s security that need to be enhanced. Organizations need to formulate a risk management plan in order to address the flaws and vulnerabilities uncovered by the assessment and implement new policies, procedures and technology where necessary to address the vulnerabilities most likely to lead to a breach of PHI and reduce risks to a reasonable and acceptable level.
The risk levels designated to each vulnerability will give an organization direction on the priority that each vulnerability needs to be assigned. The organization can then create a remediation plan to fix the most critical vulnerabilities first. The remediation plan should be complemented and new policies and procedures should be implemented as appropriate. Employees will also need to be provided with training on any new technology that has been introduced and to make them aware of updates to policies and procedures.
Completing a HIPAA risk assessment on every aspect of an organization’s operations can be time-consuming and complicated. This is particularly true for small medical firms with limited resources and no previous experience of conducting risk assessments. To help healthcare organizations with this vital aspect of HIPAA, in 2014 OCR published a downloadable Security Risk Assessment (SRA) tool that can be used by small and medium sized medical practices to help them conduct a HIPAA risk assessment.
The SRA tool is ideal for helping organizations identify locations where weaknesses and vulnerabilities may be present. In the User Guide that accompanies the tool, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. While the tool consists of 156 questions relating to the confidentiality, integrity, and availability of all PHI, there are no proposals included on how to designate risk levels or what policies, procedures, and technology will need to be introduced to correct vulnerabilities.
Much the same applies to other third-party tools that can be found online. They may help organizations identify risks and vulnerabilities, but they are no guarantee the the risk assessment will be comprehensive and HIPAA compliant. Many third-party vendors have disclaimers stating this. The conclusion is that tools to help with a HIPAA risk assessment can be useful, but are not complete solutions for this purpose. If in any doubt about whether your risk assessment meets HIPAA requirements, seek legal advice.