Throughout 2018 and 2019, the OCR has identified the failure to conduct and adequate risk assessment as a key finding in nearly half of their settlements. Making it the largest single source of identified HIPAA violations.
Many organizations undergo some level of third party reporting on their compliance with the HIPAA security rule. Generally these types of HIPAA audits evaluate the design and effectiveness the process currently in-place to meet the HIPAA security rule requirements. However, these audits often fail to adequately review the rigor of the risk analysis (aka risk assessment) process.
A common source of confusion is centers around definition with multiple security and regulatory frameworks having different definitions of key terms like risk analysis, risk assessment, threat, and vulnerability.
For all ostensive purposes the “Risk Analysis” called out in the HIPAA security rule is what many IT and security professional call a “risk assessment.” A risk analysis is one of the required implementation specifications.
Why is Required by HIPAA?
HIPAA requires organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the company. It is important that organizations assess all forms of electronic media. It is common for healthcare providers to not consider other forms of media such as hard drives, tablets, digital video discs (DVDs), USB drives, smart cards or other storage devices, BYOD devices, or any other portable electronic media.
If you are concerned your organization may be in this same situation, if your answer to any of the following questions is “no” or “I am not sure,” it is likely you have not conducted an adequate risk assessment.
- Have you identified the e-PHI within your organization?
- Have you identified all external sources of PHI, or third parties who support storing processing, and transmitting PHI?
- Is there a well documented process for vendor due diligence related to privacy and security concerns beyond what is addressed in you business associates agreement?
- Have you identified all environmental threats to your information system?
Why is This Important?
A risk analysis is one of four required implementation specifications, required to reach substantial compliance with many other HIPAA standards and implementation specifications. The security rule identifies some implementation specifications as addressable versus required. From a risk management perspective all controls implemented by management should be developed based on identified risk. From the OCR’s perspective, if an organization has not conducted a thorough risk assessment, then the fundamental basis for designing a company’s controls has not been established.
What to Consider When Conducting a Risk Analysis/Assessment?
The increasing use of technology across the entire healthcare continuum continues to increase the risk of a breach of their ePHI. There is not a one size fits all approach to conducting a risk analysis, and it can look very different depending on your business model. For example, a risk analysis for a data center will look drastically different from a cloud based EHR software as a service (SaaS) provider. The Office of Civil Rights (OCR) has provided guidance for covered entities and business associates in conducting a risk analysis1:
- When conducting a risk assessment, it is always important for the scope to cover all potential risks to the confidentiality, integrity, and availability of all e-PHI that is created, stored, or transmitted,
- Identify potential threats and vulnerabilities to patient privacy and to the security of your organization’s ePHI,
- Determine the likelihood a specific threat, and the impact of an occurrence would have on the availability, confidentiality, and integrity of ePHI.
- Assign a risk level based on the determined likelihood of an impact. Develop consistent rationale for the qualitative and quantitative measurements used to assign risk level,
- Prioritize remediation efforts based on the risk presented to you organization,
- Thoroughly document your analysis and the steps taken to reach your conclusions, and
- Periodically, assess the effectiveness of implemented security measures in protecting against the identified threats and vulnerabilities.
Summary
Conducting thorough risk assessment is foundational to HIPAA compliance, and the first thing which will be assessed in the event of a breach. If it is believed your organization needs help in conducting or improving your existing risk assessment process it is important to seek the help of experienced audit and legal professionals to navigate the world of HIPAA compliance and conducting a compliant risk assessments.
Linford and Company has extensive experience working with organizations in helping them conduct risk assessments. Please contact us if you would like to learn more about how we can help you.
Resources
- The Office of the National Coordinator for Health Information Technology (ONC), “A Guide for Small Health Care Practices.” Reassessing Your Security Practices in a Health IT Environment – PDF.
- NIST SP 800-66, Section #4 “Considerations When Applying the HIPAA Security Rule.” http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf – PDF
- A draft publication, Managing Risk from Information Systems (SP800-39)
References
- See OCR, “Guidance on Conducting a Risk Analysis.” Available at professionals/security/guidance/guidance-risk-analysis/index.html
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.