HIPAA Risk Assessments – A Necessary Evil | HIPAA Compliance for Medical Practices | Scoop.it

Not only are HIPAA risk assessments a necessary evil but also a regulatory requirement. This requirement is found in the HIPAA Security Rule implementation specification, § 164.308(a)(1)(ii)(A), which states that covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.

 

Guidance provided by the U.S. Department of Health and Human Services (HHS) states that “There are numerous methods of performing risk analysis and there is no single method or ‘best practice’ that guarantees compliance with the Security Rule.” The overall goal of the assessment process is to determine compliance with the HIPAA Security Standards and implementation specifications along with HITECH and applicable parts of the Omnibus Rule. This determination is vital to assessing whether or not an organization has the appropriate security measures in place to safeguard ePHI.

 

Regardless of the size of the organization or the number of patients, patient records, or how much or how little ePHI is held, a risk assessment needs to be conducted.  A checklist will not suffice.  An assessment must include a gap analysis, which is a determination of the level of risk posed by each question asked during the process.  A good risk assessment should include a mitigation plan that addresses how to fix or correct moderate to high levels of risk that were discovered.

 

So why are some healthcare organizations and business associates not conducting these requirement assessments?  My speculation is that they do not know what an accurate and thorough assessment consists of or because they are uneasy about the process.  There may not be in-house resources to conduct the assessment or there may be a reluctance to bring in a third-party consultant to provide this support. 

 

In a June 2017 HHS Office of Inspector General Report, the Centers for Medicare & Medicaid Services was recently audited to determine whether Medicare EHR incentive payments to eligible professionals was in accordance with federal requirements.  Although the sample size was small, it was used as a projection basis regarding the payments. What the report indicated was that some eligible professionals did not maintain or provide attestation support to meet core requirements. This included not conducting requirement risk assessments, which is one of those core requirements. 

 

In recent HIPAA violation settlements announced by the HHS Office for Civil Rights (OCR), a number of case press releases indicated the investigations into some of these organizations revealed that accurate and thorough risk assessments were not conducted.  This lack of assessments has been a constant theme for most organizations that settle with OCR in HIPAA violation cases.

 

What I tell potential clients who have never conducted a HIPAA risk assessment is that the first time is painful, but necessary.  Risk assessments must be done to determine vulnerabilities and threats to the ePHI that is stored, transmitted, created, and accessed.  Once we locate the weaknesses, we can work on mitigation.  A risk assessment will not be an overnight fix, but an exercise in ongoing HIPAA compliance program management.