Covered Entities and Business Associates must perform a yearly Risk Assessment under HIPAA law according to §164.308, the Security Rule. It was first added in 2003 in the Privacy Rule but was later expanded by the HIPAA Security Rule to cover the administrative, physical, and technical safeguards. This was further updated by the Final Omnibus Rule to include Business Associates in the mandate to conduct a Risk Assessment. The expansion in HITECH also increased the fines that both Covered Entities and Business Associates could be assessed for non-compliance with HIPAA.
What is a Risk Assessment?
A Risk Assessment, under HIPAA regulations, is meant to be the starting point for your compliance. A Risk Assessment will show you the areas where your organization’s Protected Health Information (PHI) may be at risk, what your likely threats are, your current protective measures, and where you need to improve. The purpose of a Risk Assessment is to create a road map for your HIPAA compliance. It is the starting point, you can’t be compliant without a Risk Assessment.
What goes into a Risk Assessment?
One of the points of confusion for those that must perform a Risk Assessment is that there are no specific guidelines issued by the US Department of Health and Human Services for one. The main reason for this is that all Covered Entities and Business Associates differ greatly in size and complexity. Imagine trying to use a Risk Assessment template for a hospital for a small practice. It doesn’t fit.
What HHS does provide is the ultimate goal of what should be achieved by a Risk Assessment. A Risk Assessment should identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of the PHI that an organization creates, receives, maintains or transmits.
One of the most common frameworks in cybersecurity for Risk Assessment is the one created by the National Institute of Standards and Technology (NIST). It is a comprehensive approach to security and can be tailored to most organizations. The NIST Cybersecurity Framework is broken into the following parts:
- Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
- Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
- Detect – “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
- Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
- Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
The Risk Assessment is the Identify part of the framework. At this stage, an organization will identify where the ePHI resides within their organization. Depending on your own situation, this could be a lot of places or in a few. But rest assured, you have ePHI in your organization.
Once you identify the places that ePHI resides, you must assess the risks that this ePHI is under. Is your entity in a high crime area? If so, then theft of your hardware is a possibility. How likely is your data to be accessed incorrectly by employees? Are hackers a threat to you? In this modern age, hackers are a threat to every practice. nearly 50% of all breaches reported happened due to a hacking incident.
Are natural disasters a possibility? This impacts the availability portion of the data. If a tornado destroys your practice, how can you recover the data and make it available again? Risk isn’t always about hackers or rogue insiders.
The main purpose here is to decide, given your own specific circumstances, what are your “reasonably anticipated” threats? Offices in Miami aren’t worried about earthquakes and those in Minnesota aren’t worried about hurricanes.
When you have these threats, give them a score on the likelihood of being compromised and what a compromise would mean for your organization. Would it be a total breach of all patient data or single records?
After you have assessed your threats, you need to look at the current measures you have in place to mitigate the threats. Where are they lacking? What needs to be improved?
Document everything in your final Risk Assessment. It should include the following:
- Where is your ePHI?
- What are the threats?
- Score the threats on the likelihood
- What are your current protective measures?
- What needs to be changed or fixed?
The cloud doesn’t remove ePHI responsibility
Because of confusion about how ePHI works, some providers think that if they are using a cloud-based EMR, they don’t have ePHI on their systems. Because of this, they may think HIPAA no longer applies to them. Unfortunately, this is completely incorrect. Even if a practice uses a cloud-based EMR, they will have ePHI on their local systems. Faxes are still received locally whether via paper or electronically. Patients will bring in information that must be scanned in. Some sites may be using paper forms for patient intake that will be scanned into the EMR. Also, some insurance payers will send paper remits to the office. All of these once scanned in, are stored locally on computers.
In addition, if an attacker were to breach the practice’s network, for example, with a phishing attack, and capture the login credentials for the practice’s cloud-based EMR, who would be responsible for the breach? The breach didn’t occur at the EMR. It occurred at the practice because of the lack of protection and possibly, training. The practice would be the responsible entity.
Insurance won’t save you
Another common belief is that having cybersecurity insurance will protect you if a breach happens. This isn’t the case if you haven’t performed your Risk Assessment and your due diligence. When applying for cybersecurity insurance, insurance companies require that you perform a Risk Assessment and document it. You must provide this to them before coverage will be issued. An example where a Covered Entity stated that they had a Risk Assessment but didn’t can be seen with Cottage Healthcare. They indicated that a Risk Assessment had been performed to their insurance company. After a breach, the insurance company investigated and found that an assessment had not been performed and denied to pay the claim. Insurance companies want you to be secure. So they require you to follow the law. They aren’t there so that Covered Entities (or Business Associate) can transfer all risk to them.
The Risk Assessment is just the starting point
After you have completed your Risk Assessment, you need to remediate any of the deficiencies it found. This is a critical point that many organizations often overlook. The Risk Assessment alone isn’t enough. If it finds deficiencies, they must be addressed. Otherwise, you really didn’t do anything to protect your ePHI. Knowing you have deficiencies but not addressing them is worse than not knowing. This could possibly be seen as Willful Neglect.
After you have remediated all of the issues discovered in your Risk Assessment, perform another Risk Assessment so you can document that you found the issues and corrected them. Be sure to keep both copies in your HIPAA documentation.
Each year after you perform a new Risk Assessment. be sure to keep all of the previous ones together. HHS will ask for all Risk Assessment in a given period in the event you are audited.
What are the fines for not performing a Risk Assessment?
A specific case that can be cited is that of North Memorial Health Care of Minnesota. They were fined $1.55 million for failing to perform a Risk Assessment.
Get your Risk Assessment performed and find out what you need to address in your practice (or business). HIPAA is about protecting the privacy of the patient records in your care. Performing your Risk Assessment is the first step in protecting patient data.