The positions “Risk Analysis,” at front-and-center in the first section of HIPAA – the Administrative Safeguards. Yet, it is rare to find that a formal IT Risk Assessment has been completed, and rarer still to find that the IT Risk Assessment addresses what the regulators intended.
The IT Risk Assessment is critical to safeguarding electronic protected health information or “ePHI.” HIPAA requires both covered entities and their business associates (service providers) to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.” According to Leon Rodriguez, the Director of the HHS’ Office of Civil Rights while discussing the $1.5 million fine on the Massachusetts primary healthcare provider, “OCR’s investigation indicated that [the organization] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices ….” In case of another HIPAA breach in Alaska, “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
OCR’s comments on the importance of the IT Risk Assessment in cases of HIPAA violations are a recurring theme. Again and again, the OCR consistently refers to a lack of a “thorough risk analysis” on its short list of indicators– in essence, asserting that the organization is not showing evidence that they take HIPAA compliance seriously. If a breach occurs, this can mean the difference between getting a simple corrective action versus a hefty fine. Thor Ryan, chief security officer at the Alaska Department of Health and Social Services learned his lesson the hard way and offers valuable advice as a result of his organization’s $1.7 million settlement following a HIPAA compliance investigation, triggered by a small breach incident.
“The key lesson, he says, is to take ongoing action to comply with HIPAA and carefully document all those steps. Any steps you’re doing for compliance, be expedient.” Ryan urges. “With the benefit of hindsight, we would’ve saved millions of dollars” in settlement and other costs if the department had taken several steps sooner – including making widespread use of encryption, updating a risk assessment and ramping up HIPAA compliance training.”
What specific activities should healthcare executives sponsor in their organizations in the domain of information security risk management?
1. Conduct a comprehensive information security risk assessment: HIPAA lists risk assessment as first among its implementation specifications, suggesting its relative importance. No healthcare organization can make any progress in information security without identifying and mitigating threats to protected health information as well as vulnerabilities in organizational security policies, procedures, and practices. The privacy and security team should tackle this as the first step in building its program using a comprehensive method that meets the NIST guidelines.
2. Establish a security management program: HIPAA clearly intends for healthcare organizations to incorporate information security management into their routine administrative processes.
3. Sponsor an information security risk management process: As the privacy and security team conducts its risk assessment, it will identify specific strengths and weaknesses in the existing health information security program. In order to overcome weaknesses and sustain strengths, the team must design, implement, and evaluate a health information security risk management plan.