This article first appeared in Administrative Eyecare (July/August 2018) and is reprinted here with permission from the American Society of Ophthalmic Administrators (ASOA). Originally published by Jeanne S. Holden.
A quick look as enforcement actions reveals that risk analysis is crucial to successful compliance with the HIPAA Security Rule. This article builds on “HIPAA, Hidden Risks, and Security Risk Analysis” (July/Aug 2016 AE) and helps to clarify the confusion some practices might experience when trying to be in compliance.
In February 2017, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), fined Children’s Medical Center of Dallas $3.3 million for impermissible disclosure of unsecured electronic protected health information (ePHI) and noncompliance. “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correctly them, is essential,” said then-Acting OCR Director Robinsue Frohboese.
One year later, Fresenius Medical Care North America agreed to pay $3.5 million for failing to implement risk management plans and failing to deploy measures to protect ePHI. “The number of breaches , involving a variety of locations and vulnerabilities, high-lights why there is no substitute for enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino.
Inadequate risk analysis and management are recurring themes in HIPAA settlement and corrective action plans. In fact, healthcare providers sometimes think they have met the risk analysis requirement when they have not. Below, questions practices might consider to avoid costly HIPAA fines.
Security risk assessment (SRA) is the first step in complying with the HIPAA Security Rule. “Quite simply, you cannot protect your data against threats that you don’t know exist,” said Cathy Bryant, RB, CHPC, Manager, Product dev elopement and Consulting Service, Texas Medical Liability Trust. HIPAA requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”
Bryant emphasized the need to act once risks are identified. The Security Rule requires that covered entities “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
There are many ways to perform an SRA, but no single method guarantees HIPAA compliance. The National Institute of Standards and Technology’s Guide for Conducting Risk Assessments (SP 800-30) outlines examples of steps the process might include. Additionally, a risk analysis must incorporate these elements regardless of method:1
- Define the scope
- Gather data
- Identify/document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood/potential impact of threats
- Determine the level of risk
- Finalize documentation
Yet the Security Rule does not specify how often to perform risk analysis. “Conducting an SRA every 1-2 years is currently best practice,” advised Bryant. A written policy and procedures detailing how your organization will conduct an accurate and thorough assessment as well as how it will be periodically reviewed and updated is required.
Most experts recommend an update after any significant operational of environmental change or security incident. According to Kimberly L. Cappleman, an attorney with Phelps Dunbar LLC (Tupelo, Miss), certain questions can help a practice determine if a new assessment is needed. For instance, has your organization
- Added new healthcare components or information systems not considered in previous SRAs?
- Executed appropriate business associate agreements for all new business associates?
- Implemented comprehensive policies and safeguards to protect mobile devices containing ePHI?
- Planned any new technologies or business operations and how security risks might be addressed in the planning stages?
Meaningful Use and Misconceptions
In Bryant’s view, the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs brought SRA out of the shadows by requiring eligible providers to attest to having conducted or reviewed a risk analysis that met HIPAA standards for each EHR reporting period,
“SRA has been a required measure since Meaningful Use Stage 1,” said Chris Dean, CSSA, Netgain EHR analyst (St. Cloud, Minn.). She explained, “Not only does it continue as a required objective in the MIPS and APM programs, the SRA requirements have mostly stayed the same, with the HIPAA Security Rule governing the objectives.”
But many providers have had to return incentive payments because they couldn’t provide SRA documentation when audited. Why might this happen?
One common misconception is that practices can fulfill the SRA requirement simply by installing certified EHR technology (CEHRT). But, event with CEHRT, a practice must perform a full security risk analysis.2
Another misconception is that “practiced don’t’ need to conduct an SRA because their EHR or IT vendor handles everything,” said Dean. A vendor may provide information, assistance, and training on privacy and security aspects of the applications, but it is “solely the responsibility of the practice to have or conduct a complete risk assessment,” she explained.
Finally, the breadth of HIPAA’s SRA requirement, which covers all electronic devices that create, maintain, receive, or transmit ePHI, is often misunderstood. “Almost every organization I work with has ePHI outside its EHR that is not considered in internally conducted SRAs,” said Bryant. Ophthalmology practices, for example, routinely use diagnostic devices for visual field measurements. Patient identifiers are entered into the device, which has a digital memory for recalling results. “Data in that device must be protected in the same way and to the same degree as ePHI in an EHR,” Bryant emphasized.
Conducting an enterprise-wide SRA is extremely challenging. To help covered entities and especially small and medium-sized providers, the Office of the National Coordinator for Health Information Technology and OCR issued an improved HIPAA Security Risk Assessment Tool in 2016.3 It is a self-contained operating system for Windows devices and iPads that contains 156 questions. Using the Tool does not guarantee compliance, but it can help ensure an SRA is thorough and organized.
However, many practiced do not have staff specializing in HIPAA and “well-meaning staff may not provide an accurate picture of an organization’s security posture,” said Bryant. Similarly, Dean stressed that – given the current cybersecurity landscape, the risks of a data breach, increased HIPAA penalties, and the prevalence of audits – many experts now recommend that practices have SRAs performed by a third-party expert.
“Security is not an IT problem, it is a business problem,” Dean concluded.
1HHS OCR. (Content last reviewed 2017, Mar 9). Guidance on risk analysis. https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
2HealthIT.gov. (Content last updated 2014, Mar 28). Top 10 myths of security risk analysis. https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
3HHS ONC. (2016, Oct 13). Revised HIPAA Security Risk Assessment Tool now available, Health IT Buzz, https://www.healthit.gov/buzz-blog/health-it-security/revised-hipaa-security-risk-assessment-tool/