HIPAA Risk Assessment Guide for Smaller Practices

HIPAA Risk Assessment Guide

Disconcertingly, one in four practices (25%) are failing meaningful use audits by the Centers for Medicare and Medicaid Services (CMS). The #1 reason for failure is the absence of a full-spectrum healthcare risk assessment.

These assessments or analyses are important compliance measures, and you do have options in how to move forward. A risk assessment can be conducted in-house if you have that knowledge. You can also contract an outside provider. To see how you would proceed with healthcare-compliant risk analysis on your own, these are the key steps.

HIPAA Risk Assessment Guide

Step 1 – Use the ONC risk analysis tool.

A Security Risk Analysis (SRA) Tool is available from the Office of the National Coordinator for health Information Technology (ONC). The ONC clarified that installing and going through this software is “not required by the HIPAA Security Rule [from the Health Insurance Portability and Accountability Act of 1996], but is meant to assist providers and professionals as they perform a risk assessment.”

While this tool is optional, walking through it is a good idea because it directs you through the concerns regulators wants you to have. Also, while Government tools are not always user-friendly, and while the design of the SRA Tool is not entirely intuitive, its content is an assistance mechanism in completing these projects.

The Security Risk Assessment Tool is formatted as a questionnaire, with 156 questions. It essentially goes line by line through the regulations, turning each stipulation of healthcare law into a question of whether your organization is in the right position. As you reply to the questions, you reveal the action steps for you to achieve compliance.

Step 2 – Review the HIPAA Security Rule safeguards.

To better understand why risk assessment is critical and how it functions, it helps to review the three-pronged safeguards – administrative, physical, and technical – within the Security Rule. These safeguards are integrally connected with a risk analysis: the Department of Health and Human Services’ (HHS’s) Security Rule summary noted that “by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.”

In other words, the way that things look for your organization in terms of what can go wrong and how likely that problem is, you will know where and how to bolster your defenses the most. Also be aware that “reasonable and appropriate” should not be misunderstood: the recent ruling (June 2018) in favor of the OCR and against a Texas cancer center highlights the fact that regulatory flexibility does not mean requirements are optional (i.e., reasonable measures that fit the situation must be taken).

The essentials on the safeguards are as follows, as indicated by HHS (and again, the specific safeguards you use will be revealed as you perform the risk assessment)

  • Technical safeguards – These defenses include controls related to transmission of data; integrity controls, which protect against the destruction or modification of data; audit controls, mechanisms to log activity within ePHI-containing systems; and access controls, technologies and processes that keep unauthorized users from accessing confidential data.
  • Physical safeguards – These elements include device and workstation protections, including processes and policies for reuse, elimination, migration, and disposal of electronic media. They also include controls, access procedures, and policies that restrict building admittance.
  • Administrative safeguards – These protections include the need for internal assignment of a HIPAA security officer; the implementation of role-based access and other controls to prevent unauthorized exposure; assessment of the management process through which risks are regularly assessed and addressed; the existence of high-quality workforce training and management; and regular reassessment.

Step 3 – Follow advice from the HHS & MGMA.

The basic skeleton of a risk assessment is provided by the HHS in its Security Rule summary, and its parameters are interpreted and extended by the Medical Group Management Association (MGMA) in its 2017 report “Reducing Risk for Small Provider Practices,” published by the National Institute of Standards and Technology (NIST).

The HHS noted that it is important to gauge risks to health data in terms of how likely they will occur and what the effect would be. Small providers should use this same approach, noted the MGMA, focusing especially on its use of the internet and likelihood of the biggest online threats.

Another key of a risk assessment, per the HHS, is to implement protections (which could be in numerous forms, such as technologies, policies, and people) to meet the danger to ePHI that is posed by the risks you have revealed. The MGMA added that your concern is the extent to which you have the three types of HIPAA-mandated safeguards (technical, physical, and administrative) in place as described above. Another note from the MGMA is to prioritize. Center your efforts on the most problematic areas that often lead to breaches: remote access; email and texting; mobile access; and staff policies.

Also record the steps that you have taken to launch, maintain, and routinely review protections, said the HHS. As relevant (i.e., when you are not taking the standard approach), provide your reasoning.

Finally, said the HHS, the safeguards that you establish must be properly maintained over time (which is follow-through for the regular reassessment plans discussed above).

Another step you might want to take, from the MGMA, is to get verification from a standardized, independent assessment. “Encourage 3rd party security accreditation/certification,” said the association. One key way to do that is to go beyond expecting HIPAA certification to additional measures such as a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit, which is a systematized review of your systems following a plan laid out by the American Institute of Certified Public Accountants (AICPA).

Step 4 – Ensure all your business associates complete risk assessments.

The HHS also noted specifically that risk assessments are needed by all organizations that handle ePHI, including covered entities and their business associates. That means all companies and agencies that must concern themselves with HIPAA compliance (i.e., ones that handle sensitive health data) must also, by default, perform risk assessments. As you determine your business associate, be certain that risk analysis policies are written into business associate agreements (BAAs) and that the organization meets (as advised by the MGMA) third-party certifications such as SSAE 18 compliance.

By Marty Puranik

A.i Robot Brain

What Everyone Is Missing About The Tesla Bot

The Tesla Bot A few weeks ago Tesla unveiled the latest mad creation spawned from the head of Elon Musk at their most recent AI conference. Previous greatest hits include “why can't we reuse our ...
Kash Shaikh

A Clairvoyant Look Back on 2021

In a lookback from the future, here is what happened in 2021 as reported on January 1, 2022. 2021 was the year that our world worked its way out of the 2020 pandemic and back ...
Ronald van Loon

How Continued Learning Can Help Data Scientists Solve Industry-Specific Challenges

Data scientists are, first and foremost, problem solvers. But new problems can’t always be solved with old tricks.Currently organizations in every industry are experiencing overwhelming challenges, many of them emerging from shifts to digital, the ...
Mining Data

Cloud Mining and the GPU Shortage

Cloud Mining Cryptocurrency seemed to take a jump this year to a new level of internet hype. Bitcoin hit $60,000 and Elon Musk’s tweeting about Dogecoin made millionaires out of memelords. Alongside this new wave ...
New York

From Y2K To NYC Parking Meters: Have We Learned Anything About Complacency In Cybersecurity?

Cybersecurity Complacency This past January – in what seems like a different world now – a story briefly hit the headlines and was seen as more of a quirk than a threat. It was soon ...

PROXY SERVICES

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.