HIPAA Risk Assessment Guide
Disconcertingly, one in four practices (25%) are failing meaningful use audits by the Centers for Medicare and Medicaid Services (CMS). The #1 reason for failure is the absence of a full-spectrum healthcare risk assessment.
These assessments or analyses are important compliance measures, and you do have options in how to move forward. A risk assessment can be conducted in-house if you have that knowledge. You can also contract an outside provider. To see how you would proceed with healthcare-compliant risk analysis on your own, these are the key steps.
Step 1 – Use the ONC risk analysis tool.
A Security Risk Analysis (SRA) Tool is available from the Office of the National Coordinator for Health Information Technology (ONC). The ONC clarified that installing and going through this software is “not required by the HIPAA Security Rule [from the Health Insurance Portability and Accountability Act of 1996], but is meant to assist providers and professionals as they perform a risk assessment.”
While this tool is optional, walking through it is a good idea because it directs you through the concerns regulators wants you to have. Also, while government tools are not always user-friendly, and while the design of the SRA Tool is not entirely intuitive, its content is an assistance mechanism in completing these projects.
The Security Risk Assessment Tool is formatted as a questionnaire, with 156 questions. It essentially goes line by line through the regulations, turning each stipulation of healthcare law into a question of whether your organization is in the right position. As you reply to the questions, you reveal the action steps for you to achieve compliance.
Step 2 – Review the HIPAA Security Rule safeguards.
To better understand why risk assessment is critical and how it functions, it helps to review the three-pronged safeguards – administrative, physical, and technical – within the Security Rule. These safeguards are integrally connected with a risk analysis: the Department of Health and Human Services’ (HHS’s) Security Rule summary noted that “by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.”
In other words, the way that things look for your organization in terms of what can go wrong and how likely that problem is, you will know where and how to bolster your defenses the most. Also be aware that “reasonable and appropriate” should not be misunderstood: the recent ruling (June 2018) in favor of the OCR and against a Texas cancer center highlights the fact that regulatory flexibility does not mean requirements are optional (i.e., reasonable measures that fit the situation must be taken).
The essentials on the safeguards are as follows, as indicated by HHS (and again, the specific safeguards you use will be revealed as you perform the risk assessment)
- Technical safeguards – These defenses include controls related to transmission of data; integrity controls, which protect against the destruction or modification of data; audit controls, mechanisms to log activity within ePHI-containing systems; and access controls, technologies and processes that keep unauthorized users from accessing confidential data.
- Physical safeguards – These elements include device and workstation protections, including processes and policies for reuse, elimination, migration, and disposal of electronic media. They also include controls, access procedures, and policies that restrict building admittance.
- Administrative safeguards – These protections include the need for internal assignment of a HIPAA security officer; the implementation of role-based access and other controls to prevent unauthorized exposure; assessment of the management process through which risks are regularly assessed and addressed; the existence of high-quality workforce training and management; and regular reassessment.
Step 3 – Follow advice from the HHS & MGMA.
The basic skeleton of a risk assessment is provided by the HHS in its Security Rule summary, and its parameters are interpreted and extended by the Medical Group Management Association (MGMA) in its 2017 report “Reducing Risk for Small Provider Practices,” published by the National Institute of Standards and Technology (NIST).
The HHS noted that it is important to gauge risks to health data in terms of how likely they will occur and what the effect would be. Small providers should use this same approach, noted the MGMA, focusing especially on its use of the internet and likelihood of the biggest online threats.
Another key of a risk assessment, per the HHS, is to implement protections (which could be in numerous forms, such as technologies, policies, and people) to meet the danger to ePHI that is posed by the risks you have revealed. The MGMA added that your concern is the extent to which you have the three types of HIPAA-mandated safeguards (technical, physical, and administrative) in place as described above. Another note from the MGMA is to prioritize. Center your efforts on the most problematic areas that often lead to breaches: remote access; email and texting; mobile access; and staff policies.
Also record the steps that you have taken to launch, maintain, and routinely review protections, said the HHS. As relevant (i.e., when you are not taking the standard approach), provide your reasoning.
Finally, said the HHS, the safeguards that you establish must be properly maintained over time (which is follow-through for the regular reassessment plans discussed above).
Another step you might want to take, from the MGMA, is to get verification from a standardized, independent assessment. “Encourage 3rd party security accreditation/certification,” said the association. One key way to do that is to go beyond expecting HIPAA certification to additional measures such as a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit, which is a systematized review of your systems following a plan laid out by the American Institute of Certified Public Accountants (AICPA).
Step 4 – Ensure all your business associates complete risk assessments.
The HHS also noted specifically that risk assessments are needed by all organizations that handle ePHI, including covered entities and their business associates. That means all companies and agencies that must concern themselves with HIPAA compliance (i.e., ones that handle sensitive health data) must also, by default, perform risk assessments. As you determine your business associate, be certain that risk analysis policies are written into business associate agreements (BAAs) and that the organization meets (as advised by the MGMA) third-party certifications such as SSAE 18 compliance.
By Marty Puranik