HIPAA Risk Assessment Guide for Smaller Practices

Marty Puranik

HIPAA Risk Assessment Guide

Disconcertingly, one in four practices (25%) are failing meaningful use audits by the Centers for Medicare and Medicaid Services (CMS). The #1 reason for failure is the absence of a full-spectrum healthcare risk assessment.

These assessments or analyses are important compliance measures, and you do have options in how to move forward. A risk assessment can be conducted in-house if you have that knowledge. You can also contract an outside provider. To see how you would proceed with healthcare-compliant risk analysis on your own, these are the key steps.

HIPAA Risk Assessment Guide

Step 1 – Use the ONC risk analysis tool.

A Security Risk Analysis (SRA) Tool is available from the Office of the National Coordinator for health Information Technology (ONC). The ONC clarified that installing and going through this software is “not required by the HIPAA Security Rule [from the Health Insurance Portability and Accountability Act of 1996], but is meant to assist providers and professionals as they perform a risk assessment.”

While this tool is optional, walking through it is a good idea because it directs you through the concerns regulators wants you to have. Also, while Government tools are not always user-friendly, and while the design of the SRA Tool is not entirely intuitive, its content is an assistance mechanism in completing these projects.

The Security Risk Assessment Tool is formatted as a questionnaire, with 156 questions. It essentially goes line by line through the regulations, turning each stipulation of healthcare law into a question of whether your organization is in the right position. As you reply to the questions, you reveal the action steps for you to achieve compliance.

Step 2 – Review the HIPAA Security Rule safeguards.

To better understand why risk assessment is critical and how it functions, it helps to review the three-pronged safeguards – administrative, physical, and technical – within the Security Rule. These safeguards are integrally connected with a risk analysis: the Department of Health and Human Services’ (HHS’s) Security Rule summary noted that “by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.”

In other words, the way that things look for your organization in terms of what can go wrong and how likely that problem is, you will know where and how to bolster your defenses the most. Also be aware that “reasonable and appropriate” should not be misunderstood: the recent ruling (June 2018) in favor of the OCR and against a Texas cancer center highlights the fact that regulatory flexibility does not mean requirements are optional (i.e., reasonable measures that fit the situation must be taken).

The essentials on the safeguards are as follows, as indicated by HHS (and again, the specific safeguards you use will be revealed as you perform the risk assessment)

  • Technical safeguards – These defenses include controls related to transmission of data; integrity controls, which protect against the destruction or modification of data; audit controls, mechanisms to log activity within ePHI-containing systems; and access controls, technologies and processes that keep unauthorized users from accessing confidential data.
  • Physical safeguards – These elements include device and workstation protections, including processes and policies for reuse, elimination, migration, and disposal of electronic media. They also include controls, access procedures, and policies that restrict building admittance.
  • Administrative safeguards – These protections include the need for internal assignment of a HIPAA security officer; the implementation of role-based access and other controls to prevent unauthorized exposure; assessment of the management process through which risks are regularly assessed and addressed; the existence of high-quality workforce training and management; and regular reassessment.

Step 3 – Follow advice from the HHS & MGMA.

The basic skeleton of a risk assessment is provided by the HHS in its Security Rule summary, and its parameters are interpreted and extended by the Medical Group Management Association (MGMA) in its 2017 report “Reducing Risk for Small Provider Practices,” published by the National Institute of Standards and Technology (NIST).

The HHS noted that it is important to gauge risks to health data in terms of how likely they will occur and what the effect would be. Small providers should use this same approach, noted the MGMA, focusing especially on its use of the internet and likelihood of the biggest online threats.

Another key of a risk assessment, per the HHS, is to implement protections (which could be in numerous forms, such as technologies, policies, and people) to meet the danger to ePHI that is posed by the risks you have revealed. The MGMA added that your concern is the extent to which you have the three types of HIPAA-mandated safeguards (technical, physical, and administrative) in place as described above. Another note from the MGMA is to prioritize. Center your efforts on the most problematic areas that often lead to breaches: remote access; email and texting; mobile access; and staff policies.

Also record the steps that you have taken to launch, maintain, and routinely review protections, said the HHS. As relevant (i.e., when you are not taking the standard approach), provide your reasoning.

Finally, said the HHS, the safeguards that you establish must be properly maintained over time (which is follow-through for the regular reassessment plans discussed above).

Another step you might want to take, from the MGMA, is to get verification from a standardized, independent assessment. “Encourage 3rd party security accreditation/certification,” said the association. One key way to do that is to go beyond expecting HIPAA certification to additional measures such as a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit, which is a systematized review of your systems following a plan laid out by the American Institute of Certified Public Accountants (AICPA).

Step 4 – Ensure all your business associates complete risk assessments.

The HHS also noted specifically that risk assessments are needed by all organizations that handle ePHI, including covered entities and their business associates. That means all companies and agencies that must concern themselves with HIPAA compliance (i.e., ones that handle sensitive health data) must also, by default, perform risk assessments. As you determine your business associate, be certain that risk analysis policies are written into business associate agreements (BAAs) and that the organization meets (as advised by the MGMA) third-party certifications such as SSAE 18 compliance.

By Marty Puranik

Leonid Feinberg

9 Mistakes to Avoid When Choosing a Cloud

Mistakes to Avoid When Choosing a Cloud According to Gartner, the worldwide public cloud services market is forecast to grow 17% in 2020 to total ...
Ajay

Explainable Intelligence Part 2 – Illusion of the Free Will

Illusion of the Free Will Explainable Artificial Intelligence (XAI) is getting a lot of attention these days, and like most people, you're drawn to it because ...
Kayla Matthews

Here’s How AI Startups Are Doing in 2019

AI Startup Growth Now that artificial intelligence (AI) is part of the mainstream, companies are rapidly investigating what they can do to develop new AI ...
David Balaban

Ransomware – Cybercriminal Groups Know The Weak Points

Cybercriminal Groups Grow Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of ...
Torsten

Five Ways to Secure Access to Web Workloads

Secure Access to Cloud Workloads Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major ...
David Gevorkian

How to Apply Website Accessibility in UX and How to Achieve Better User Experience

Design Tweaks: Apply Website Accessibility in UX In this current digital age, websites have become more complex because of the introduction of various aesthetic designs ...
Steve Prentice

Episode 2: Coronavirus Phishing Emails and Work-from-Home Meetings

Coronavirus Phishing Emails What to watch out for as scammers exploit pandemic panic, and tips on how to attend meetings while working from home. Working ...
Mark Barrenechea

So are Bad and Stranger Things—the Negative Impact of Technology

Negative Impact of Technology Cyberattacks and information breaches are happening every day, from influencing the outcomes of elections to bringing down businesses to massive data ...
Daniela Streng

Preventing IT Outages and Downtime

Preventing IT Outages As businesses continue to embrace digital transformation, availability has become a company’s most valuable commodity. Availability refers to the state of when ...
Kaylamatthews

What Amazon’s Kendra Means for the AI and Machine Learning Future

Amazon's Kendra Learning Future Most people feel a bit astounded when they type a query into Google and get relevant results in milliseconds. They're probably ...