The HIPAA Security Rule places so much emphasis on the importance of “Risk Analysis,” that it was positioned front-and-center as the first requirement in the first section of HIPAA – the Administrative Safeguards. Yet, as we do HIPAA compliance gap assessments for organizations, it is rare to find that a formal IT Risk Assessment has been completed, and rarer still to find that the IT Risk Assessment addresses what the authors intended.
The IT Risk Assessment is critical to safeguarding electronic protected health information or “ePHI.” HIPAA requires both covered entities and their business associates (service providers) to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.” If you provide data center services to a healthcare provider or payer, you are most likely a “business associate” under HIPAA.
Not sure an IT Risk Assessment is all that important? If you’re in doubt, do a little research into what Leon Rodriguez, the Director of the HHS’ Office of Civil Rights or “OCR” has to say on the subject. OCR is the chief enforcer of HIPAA and recently fined a Massachusetts healthcare provider $1.5 million, stating in the 9/17/2012 press release that “OCR’s investigation indicated that [the organization] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices ….”
OCR’s comments on the importance of the IT Risk Assessment in HIPAA are a common theme. Whether in breach-and-fine press releases or speaking at conferences, the OCR consistently calls out lack of a “thorough risk analysis” on its short list of indicators that an organization has not established a culture of compliance – in essence, asserting that the organization is not showing evidence that they take HIPAA compliance seriously. If a breach occurs, this can mean the difference between getting a simple corrective action versus a hefty fine.
If you’ve concluded some attention may be needed in this area, the first step is to take inventory of your ePHI – Find out where is it created, stored, maintained or transmitted. The ePHI systems environment or “inventory” should consist of formal documentation that identifies the applications, data stores, system components, and service providers that support or protect the ePHI.
After you know what ePHI you have, how you get it, where you store it, and where it goes, you need to assess the risks that are posed to the ePHI in each of those areas. Most organizations have done this informally, and are managing their risks, but cannot demonstrate documented evidence of the “thorough risk analysis.” The formal IT Risk Assessment should cover the ePHI systems environment, and each point in the flow of ePHI where vulnerabilities, threats, and risks may exist. Out of this analysis, the organization can identify where the risks to EPHI are unacceptable and develop the remediation plan to reduce the risks.
For do-it-yourselfers, see the link below for guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
Additionally, the National Institute of Standards and Technology – NIST – has developed Special Publication number 800-30 entitled Risk Management Guide for Information Technology Systems. NIST SP 800-30 contains the widely-used methodology for performing IT Risk Assessments. See: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf