Conducting A HIPAA Risk Assessment
By Bill Ahrens and Justin Frazer
There is a longstanding trend among healthcare providers to embrace digital technologies to manage, access, share and store patient information.
Consequently, there is also an industry-wide need to ensure these digital ecosystems are compliant with regulations, in particular the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
While protecting patient data should be enough incentive on its own to motivate health professionals to secure protected health information (PHI), healthcare organizations, especially providers, can also receive significant penalties for non-compliance with HIPAA regulations, with fines ranging between $100 and $1.5 million per violation. Unfortunately, violations are not uncommon.
Healthcare IT leaders are not blind to the fact that protecting PHI should be high on their to-do lists: according to a recent national survey of stand-alone providers and provider offices, the top IT and compliance concern is protecting patient information. However, regardless of the known risk for not protecting PHI properly providers still fail in this area due to several contributing factors.
Breaches can occur due to phishing attacks, hijacked websites, computer viruses, Wi-Fi hacking and numerous other external sources. Healthcare providers are also particularly susceptible to insider threats that can result in significant PHI breaches.
So how can providers get a jump on safeguarding PHI effectively and in such a way as to be compliant? The first step is to conduct a risk assessment.
WHAT IS A RISK ASSESSMENT?
Also sometimes known as a security assessment or risk analysis, a risk assessment (referenced at 45 CFR § 164.308(a)(1)(ii)(A)) is a comprehensive look at a healthcare organization’s security posture and structure that aims to uncover potential threats and vulnerabilities within the IT ecosystem. A risk assessment can assure the confidentiality, integrity, and availability of electronic PHI held by a healthcare organization.
PROVIDERS STAY HIPAA COMPLIANT WITH RISK ASSESSMENTS
Conducting a risk assessment specifically aimed at HIPAA compliance is an essential step to keep PHI safe while avoiding breaches and penalties for violations. It’s also important to note that, for providers, regular (i.e., at least annual) risk assessments are essential.
A risk assessment is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Moreover, risk assessments can do more than just help organizations stay compliant; they can help providers and others who have access to PHI address possible vulnerabilities outside of the regulations.
While compliance with privacy regulations is mandatory, it is usually not enough to protect an organization against data breaches. A more effective option for providers is to adopt a risk-based approach to cybersecurity that performs a holistic assessment of the threats facing the organization and the vulnerabilities in its current operating environment.
HIPAA RISK ASSESSMENT TEMPLATE
While there isn’t an official risk analysis method, HHS does provide guidelines to ensure that the risk assessment meets its ultimate goal: to help organizations understand how their technologies and strategies line up with HIPAA and implement the necessary security measures in their operational environment.
Although foundational to the overall security posture of the organization, the risk assessment is an item that many organizations overlook. HHS lays out the aims of a HIPAA risk assessment for healthcare organizations as follows:
- Determine Scope: Scope of the analysis needs to encompass all forms of e-PHI that the organization creates, receives, maintains, or transmits.
- Collect Data: Gather all pertinent information (i.e., where and how e-PHI is generated, stored, accessed, and disposed); don’t overlook e-PHI maintained by third parties.
- Identify Threats and Vulnerabilities: Identify any potential sources that could impact the confidentiality, integrity or availability of e-PHI.
- Assess Likelihood of Threat: Assess the probability that each identified threat could occur, based on the organization’s current security measures in place.
- Assess Impact of Threat: For each identified threat, assess the impact of its occurrence (i.e., level of damage to the organization).
- Assess Level of Risk: Typically performed by calculating the average of the likelihood and impact of the threat occurrence as determined in the previous two steps.
- Document: Clearly document the findings of the previous steps in a clear and easily understandable format.
- Monitor & Update: The risk assessment should be reviewed periodically to ensure no changes to the risk profile; in addition, HIPAA requires new assessments when significant changes occur to the environment.
RECOMMENDED RISK ASSESSMENT TOOLS FOR HIPAA COMPLIANCE
There are several toolkits available for organizations that want to assess their HIPAA compliance and security practices around PHI. Some tools for conducting a risk assessment include:
- The HHS website can be referenced for guidance on HIPAA Risk Analysis, and provides a wealth of information for small organizations on performing a risk assessment on their own
- The NIST HIPAA Security Toolkit Application, which was developed by the National Institute of Standards and Technology (NIST), assists organizations with understanding the requirements of the HIPAA Security Rule and ways to implement the necessary administrative, physical and technical safeguards to meet those requirements.
- Another self-service tool is the HIPAA Security Risk Assessment (SRA) Tool jointly developed by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR).
Often, however, it can be difficult — especially for small providers with limited resources — to ensure that an in-house security team has conducted a thorough audit. This is where a third-party risk assessment can prove helpful.
By tapping an outside source to conduct the assessment and provide actionable feedback, the provider can ensure that the assessment touches all places PHI could be lurking and can provide help in closing security gaps.
Contrary to what the headlines may suggest, many small medical practices have been investigated by OCR and subjected to HIPAA audits. In addition, many healthcare organizations – as well as their business associates – overlook the need to conduct a risk assessment from a HIPAA privacy perspective, which is equally as important as conducting a security risk assessment, but typically receives less attention.
As a leading change facilitator in this era of sweeping health care reform, the Mazars Healthcare Practice offers healthcare payers and providers a powerful combination of service and results-oriented strategy to help them meet their business goals, overcome challenges, and improve performance. For more information about their timely, valuable information and insights into policies, best practices and industry developments, visit mazarsusa.com/hc.