We get it – if you’re like many of the healthcare organizations we’ve encountered in the last couple of decades, your medical records staff is probably stretched thin enough without the added burden of conducting annual privacy or security risk assessments. However, one of the most common factors present in OCR settlement agreements (including the record-setting $5.5 million settlement agreement in 2016) is that the covered entity or business associate failed to conduct a risk assessment.
As daunting as the task may feel, a comprehensive risk assessment is required by the Health Insurance Portability and Accountability Act (HIPAA) and is well worth the effort if you want to avoid added stress on your organization and protect your hard-earned revenue. So, if risk assessments are so important, why do so many providers continue failing to conduct them?
Despite some common misconceptions, risk assessments don’t have to be an insurmountable obstacle for your staff or your budget. Below are some practical tips for staying on top of your privacy and security risk assessments to keep your practice in compliance and running smoothly.
What exactly is a risk assessment?
A risk assessment (or risk analysis) is defined in the 2003 HIPAA Security Rule (45 CFR § 164.308) as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Covered Entity or Business Associate”. While risk assessments are required under the HIPAA Security Rule, there is no particular methodology outlined, as the most appropriate method will vary by organization.
The US Department of Health & Human Services (HHS) does, however, identify the objective that your risk assessment must accomplish: “to identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains, or transmits” (hipaajournal.com). In order to achieve this, two different types of risk assessments are needed: privacy and security risk assessments.
A security risk assessment (SRA) is what most organizations first picture when addressing the risk assessment requirement: that is, an analysis of how secure their PHI is against hacks and technology breaches. A privacy risk assessment (PSA) involves a bigger-picture look at your internal and external workflows, including the appointment of a Privacy Officer and the development of a HIPAA privacy compliance program to eliminate gaps in the flow of PHI through your organization.
Why are risk assessments so important?
In the years since the HIPAA rule was first implemented, fines for non-compliance were determined based on several factors including the level of negligence contributing to the violation – the lowest fines being given to organizations that were not aware they were violating HIPAA. In recent years, it has generally been accepted that there is no reasonable excuse for an organization not to understand its responsibility to protect PHI; therefore, more and more fines are being issued under the more severe category of “Willful Neglect” (hipaajournal.com).
One of the largest settlement fines on record was $5.5 million against the Advocate Health Care Network in 2016 – but it isn’t only large health systems that are at risk of data breaches or OCR audits. Smaller medical practices are increasingly being targeted with cyberattacks, making them vulnerable both for their own information and as part of a stepping stone approach for the attacker to get into larger health IT companies.
In addition to being issued a sizeable fine, organizations in violation of the HIPAA Security Rule are generally required to comply with ongoing OCR monitoring for a period of 3 years (hhs.gov). If an annual risk assessment seems like a costly undertaking, you definitely don’t want to put your organization through this added stress.
So, how can healthcare organizations of all sizes and scopes reasonably keep up with risk assessment requirements?
Tips for keeping up with risk assessment best practices efficiently & affordably
- Don’t wait for a major change in your office or facility to happen; have a privacy and security risk assessment scheduled on an annual basis. Healthcare is a fast-paced environment, with countless high-priority tasks vying for your staff’s attention. It can be easy to put off starting a time-consuming project, however important it is. So, make an annual privacy and security risk assessment a required part of your procedure and get it on the calendar in advance. If you’re planning for any major changes to your organization’s systems or procedures, schedule time for a risk assessment after that change has been completed as well.
- Don’t stop at the risk assessment! Build time into your schedule to follow up on the results of your risk assessment and mitigate or remediate any privacy and security gaps identified. The risk assessment is your foundation for a compliance plan, but it does you no good if threats are not addressed.
- It’s okay to ask for help. If you don’t have the resources or feel comfortable conducting a PRA/SRA yourself, don’t break the bank or put yourself through the stress of trying. Your HIM vendor can likely assist you, and is probably better equipped to handle the task anyway. There are also free tools available to help you, including HHS’s free security risk assessment tool. (Don’t worry – using this tool does not mean HHS can see your assessment!)
- Leverage your PRA and SRA as a stepping stone to larger goals. Once you’ve invested in a risk assessment, maximize its value by using the mitigation and remediation process to help your organization adopt a known cybersecurity standard. Under recent legislation, this means that your organization will have reduced risk in as little as 1 year after the assessment was conducted.
Guidance on Risk Analysis Requirements under the HIPAA Security Rule: OCR, July 14, 2010.