- A HIPAA risk assessment can be an important tool in helping covered entities determine how they can best improve their overall privacy and security measures. With two large scale healthcare data breaches being announced already in 2015, it is increasingly important for covered entities to ensure that they know where ePHI is actually being stored and used, and take appropriate measures to keep it secure.
The HIPAA risk assessment process is more of a journey, rather than a destination, according to Chris Bowen, MBA, CIPP/US, CIPP/IT, ClearDATA Founder and Chief Privacy Officer. In an interview with HealthITSecurity.com, Bowen said that it is essential for covered entities to actually take the risk assessment results and work toward fixing any weak points that were discovered. It is important to go beyond just checking off the box to receive Meaningful Use dollars, for example, he said.
“We’ve discovered that healthcare IT is just underprepared for what they need to do,” Bowen said. “They need to not only shore up their systems from a functional perspective and interoperability perspective, but now you layer on security and other types of controls to that, and they’re just overwhelmed.”
In general, there are three main scenarios for why a HIPAA risk assessment is taking place, according to Bowen. First, there is the proactive approach. This is where third-party organizations will come into the picture, review the assessment and see what gaps exist and how they can be fixed. For example, if cloud architecture or storage is being used at all, it’s essential that it is secure.
Another common reason for a HIPAA risk assessment is that a covered entity is looking for Meaningful Use dollars, Bowen said.
Finally, there is the “never fun scenario.” This is where the Office for Civil Rights (OCR) has already knocked on a CE’s door and their legal team asks for help in solving privacy and security challenges.
Best practices for HIPAA risk assessments
One of the key things for facilities to keep in mind, according to Bowen, is to make sure it actually knows where all ePHI is being stored.
“Inevitably, every entity we do a risk assessment for, they say ‘Yeah we know where our PHI is, here’s the list.’ As we probe, do walkthroughs, ask other people other questions, we find a ton of PHI nobody even realized was sitting there,” Bowen said.
Jeff Krull, CPA, CISA, Partner at Baker Tilly Virchow Krause, LLP, agreed, saying that facilities often focus on their main ePHI application. However, upon further investigation, there are always other areas that use PHI.
For example, during discussions CEs might reveal that employees will sometimes email PHI. From there it is discovered that there is a BYOD policy in place and that the email system can be accessed through a smart phone. That reveals a “whole other layer of the onion” that needs to be dealt with for a risk assessment, he said. With a mindset of just running through a checklist and being done, Krull explained that a lot of aspects could be inadvertently overlooked.
“Our experience is rarely does that get you to a level of having that thorough comprehensive risk assessment,” Krull said. “It’s really the conversations in having those facilitated discussions that get you there.”
Oftentimes, individuals try to rationalize or justify what they have in the HIPAA risk assessment, and also justify their past decisions, Krull explained. Instead, this is a tool that finds the risks and a facility then ranks them and develops a timeline to close down those risks.
For example, Krull said that if a CE asks if it’s okay that it does not encrypt its data, it’s a loaded question.
“I would describe it as if your servers are in Fort Knox and not encrypted, or are in a very secure facility and not encrypted, you can probably build some controls around that,” Krull said. “If your servers are sitting unencrypted under somebody’s desk in their office, that’s a totally different fact pattern.”
Essentially, the HIPAA risk assessment is meant to discover all of the factors in place and help management understand where the threats and vulnerabilities exist. If there are any gaps, the CE needs to determine how it will deal with them.
“That’s why you do it,” he explained. “You do it to uncover the findings and the risks and go deal with them.”
Going beyond the checklists
Both Bowen and Krull emphasized the importance of running comprehensive risk assessments and then taking the time to go through the results to make necessary changes.
According to Bowen, an important starting point is to ensure that the right people are involved in the process from the beginning. Working with third-parties, such as legal assistance, can be beneficial.
“Pick your partners. It’s a circle of trust,” Bowen said. “Figure out who’s in it and use them. Don’t believe that you have to do everything by yourself.”
Healthcare organizations need to realize that there are partners in the marketplace that can help address the challenges that come with the HIPAA risk assessment, he explained.
Krull added that one of the biggest stumbles that CEs could make is not getting the right people focused on legitimately thinking through the risks. It can be a difficult thing, but Krull said that his biggest takeaway from conducting risk assessments is that a “good risk assessment isn’t running a checklist.” Facilities must take the next steps and process what they found and work toward eliminating those issues.