A risk assessment helps covered entities ensure they are compliant with the HIPAA requirements in terms of physical, technical, and administrative safeguards. It also assists in showing potential areas where an organization might be putting PHI at risk.
All PHI and electronic PHI (ePHI) that a facility creates, receives, maintains or transmits must be protected, and the risk assessment is an important part of this process.
A healthcare provider can start its own analysis by tracking where it stores PHI. Databases, mobile devices, and cloud storage could all be areas where PHI is stored or transferred to. But how that information is secured. Are all devices properly encrypted? Are the devices also password protected? Which employees have access to the databases?
Staying HIPAA compliant is a necessity for healthcare organizations of all sizes, but performing a regular risk analysis and the required risk assessment will ensure that patient PHI stays secure. No facility wants to become the next healthcare data breach target, and regularly monitoring all PHI storage points helps in the prevention process.
The HIPAA risk assessment
Under HIPAA regulations, the risk analysis is part of the administrative safeguard requirement. Covered entities need to evaluate the likelihood and impact of potential risks to e-PHI, implement appropriate security measure to address those risk areas, and document the security measures, according to HHS. Where appropriate, the reason for adopting those measures should also be documented.
Overall, there must be “continuous, reasonable, and appropriate security protections.”
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
By looking the four factors that HHS uses to determine the likelihood that PHI was inappropriately used or disclosed in a potential breach, organizations could better understand how to review possible risk areas.
• What is the nature of the information involved?
• Who is the authorized person responsible?
• Was PHI actually acquired or viewed?
• To what extent has the risk to PHI been mitigated?
There are also other options available for covered entities to assist in their risk assessment process. The Office of the National Coordinator for Health Information Technology (ONC) has a Security Risk Assessment Tool. While not required under HIPAA regulations, “it is meant to assist providers and professionals as they perform a risk assessment.”
“The SRA Tool is a self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only,” states the ONC website. “The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your ‘yes’ or ‘no’ answer will show you if you need to take corrective action for that particular item.”
Common risk assessment mistakes
One of the largest mistakes a covered entity could make with its risk assessment is to assume that one is enough. An organization’s entire risk management process should be regularly reviewed, and changes should be made as new technologies are introduced. New tools could affect where ePHI is stored.
For example, if a provider implements secure messaging options, or decides to integrate new connected medical devices. Any of those new devices could be storing or transferring PHI. However, the original risk analysis did not include those devices. Overlooking them in a risk assessment could prove detrimental in a HIPAA audit or if the information becomes exposed because it is not properly protected.
An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.
If a healthcare data breach does occur, and the incident is reported to OCR, not conducting a regular risk assessment will often create larger financial fines for a facility.
In December 2015, the University of Washington Medicine (UWM) agreed to a $750,000 fine as part of a HIPAA settlement, stemming from a 2013 incident.
OCR found that UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”
OCR Director Jocelyn Samuels said in a statement that all too often covered entities conduct a limited risk analysis that only focuses on a specific system. That oversight can leave information vulnerable.
“An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data,” Samuels said.
Similarly, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to a HIPAA settlement in June 2016. Even though CHCS was a business associate, it was required to pay $650,000 and conduct a thorough risk analysis to ensure that it is properly implementing and documenting security measures.
OCR found that from the HIPAA Security Rule compliance date to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”
- What are the Legal Concerns in a HIPAA Risk Assessment?
- Lessons Learned from the 2015 OCR HIPAA Settlements
Using findings to improve healthcare data security
As previously discussed, the risk assessment should review physical, technical, and administrative safeguards. When potential vulnerabilities are found, covered entities must make applicable changes to keep data secure.
For physical safeguards, this could include improved workstation and device security. Perhaps a facility realizes that nurse work stations are in public view. A timed log off could be beneficial, or maybe the work stations could even be moved to a more secure area.
In terms of technical safeguards, a hospital could find that its access control is lacking. For example, an employee who works in billing or financials, may not necessarily need access to patients’ medical records. Ensuring that employees are only authorized to the “minimum necessary” is a critical part of HIPAA compliance.
Finally, for administrative safeguards, this could include better workforce training or management. All workforce members should be trained on the facility’s security policies and procedures. As ransomware threats increase, for example, employees should be regularly taught on what the latest threats could look like and how to respond.
Covered entities should remember that they must review all electronic devices that store, capture, or modify electronic protected health information. This goes beyond the EHR hardware, software, and devices that access EHR data. For example, copiers, tablets, and mobile phones could all store or have access to data.
It is not necessary to do a full risk analysis on an annual basis. However, if a new EHR is adopted, then a full one should be performed. Whenever changes occur, such as new devices being implemented, then a covered entity should review and update the prior analysis for any changes in potential risks.
- Creating a Comprehensive Healthcare Risk Management Plan
- Latest Round of HIPAA Audits Not a Reason for Panic