The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information could be at risk.
The HIPAA was developed by the National Institute of Standards and Technology (NIST) and is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target uses include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.
The Department of Health and Human Services requires all organizations handling protected health information (PHI), including HIPAA hosting providers, to conduct a risk analysis as the first step toward implementing safeguards specified in the HIPAA Security Rule, and ultimately achieving HIPAA compliance.
But what does a risk analysis entail, and what do you absolutely have to include in your report? The HHS Security Standards Guide outline nine mandatory components of a risk analysis that healthcare organizations and healthcare-related organizations that store or transmit electronic protected health information must include in their document.
Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks. Network security between multiple locations is also important to include in the scope of the analysis and may include aspects of your HIPAA hosting terms with a third party or business associate.
Where does the PHI go? Locate where the data is being stored, received, maintained or transmitted. Again, if you’re hosting health information at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored.
Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution.
What kind of security measures are you taking to protect your data? From a technical perspective, this might include any encryption, two-factor authentication, and other security methods put in place by your HIPAA hosting provider.
Take account of the probability of potential risks to PHI—in combination with #3 Potential Threats and Vulnerabilities, this assessment allows for estimates on the likelihood of ePHI breaches.
By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization. How many people could be affected? What extent of private data could be exposed—just medical records, or both health information and billing information combined?
Take the average of the assigned likelihood and impact levels to determine the level of risk. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk.
Write everything up in an organized document. There is no specified format for this, but it is required to have the analysis in writing.
It is important to conduct a risk analysis on a regular basis. While the Security Rule doesn’t set a required timeline, it is recommended for organizations to conduct another risk analysis whenever the company implements or plans to adopt a new technology or business operation. This could include switching your data storage methods from managed servers to cloud computing, or any ownership or key staff turnover.
As most healthcare providers know, HIPAA requires that covered entities or business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services for implementing electronic health record systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually.
Now more than ever, the importance of ensuring that these risk analyses are performed are being demonstrated, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis.
1. Avoid HIPAA fines and penalties. HIPAA fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
2. Achieve EMR Meaningful Use and receive incentive payments. If you have not performed a HIPAA security risk analysis annually, as required by the Meaningful Use program, you may have received improper Meaningful Use payments from CMS. Federal regulations require documentation be kept for six years that supports the demonstration of meaningful use as required by the incentive program.
3. Avoid potential False Claims Act Liability for improper Meaningful Use payments. False Claims Act liability can attach to providers certifying to Meaningful Use requirements without performing the mandated annual HIPAA security risk analysis. If the annual risk analysis has not been performed, the provider is not entitled to the EHR incentive payments for meaningful use. In the event a provider discovers an improper incentive payment, there are voluntary refund avenues available to diffuse the enforcement risk associated with these overpayments.
4. Protect your patients’ health information and your reputation. Your reputation as a healthcare provider is built on trust. This trust inherently assumes your patients’ sensitive health and financial information is adequately protected, and that risks and vulnerabilities that threaten that protection is meaningfully addressed. Should you have a significant breach or security incident, your patients will know about it. In part, because you are legally obligated to inform them, but it could also become headline news. Performing thorough HIPAA security risk analyses ensures that you are doing everything that you can to protect your patient’s PHI, which protects your reputation as their trusted healthcare provider.
5. Avoid investigative or litigation costs associated with non-compliance. With any enforcement action comes heightened costs, including but not limited to fines, penalties, treble damages, and even potential imprisonment. For example, under the False Claims Act, a provider could be liable for penalties up to $21,563 per claim wrongfully submitted, in addition to treble the amount received/billed to the government. As earlier noted, under HIPAA, fines can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation. Under certain circumstances, individuals involved in submitting the claims could personally be held liable as well. Voluntarily refunding improper incentive payments is a much cheaper avenue to take.
There are five main areas providers need to address to meet HIPAA Security Rule requirements:
Conducting a HIPAA Security Risk Analysis may sound daunting at first, but it will be made easier by the understanding of the Security Rule. Once you have a full grasp of that, the next steps will be easier to implement.