Still not convinced a HIPAA Risk Analysis is not optional? Here are a couple of historical headlines:
- Oregon Health & Science University (OHSU) has agreed to settle potential violations of HIPAA Privacy and Security Rules following an investigation by the OCR that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year CAP. The settlement includes a payment by OHSU to the OCR for $2.7 million. OHSU reported three desktops, one laptop and a back-up drive were stolen. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013. But OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise.
- Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to the Office for Civil Rights (OCR) of the HHS related to violations of the HIPAA Privacy and Security Rules. FMCNA entered into a settlement and Resolution Agreement with OCR. It stemmed from several breach incidents FMCNA reported as part of its 2012 report to the OCR. What caught the OCR’s attention were the five instances, all at different FMCNA facilities, of stolen desktop and laptop computers, and USB drives. The OCR decided to investigate, and one of their conclusions was that “FMNCA Covered Entities did not perform an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI.”
As you can see, penalties for violations may be steep. In addition, there is the actual costs of correcting violations and the impact on reputation of the organization!
The 7 Steps of a HIPAA Risk Analysis
The 7 steps of a HIPAA risk assessment are not hard to describe, but they cover a lot of territory.
- Scope of the HIPAA Risk Analysis: takes into account all of the ePHI of the organization. It must include every source or storage location.
- Data Collection: identifies where ePHI is stored, received, maintained or transmitted.
- Potential Threats and Vulnerabilities: identifies and documents potential threats, including those unique to the organization or its environment.
- Current Security Measures: assesses and documents the security measures currently in effect.
- Likelihood of Threat Occurrence: assesses the probability of potential risks to confidentiality, integrity and availability of ePHI.
- Potential Impact of Threat Occurrence: considers the impact of risks to confidentiality, integrity and availability of ePHI.
- Level of Risk: describes the assigned risk levels for threat and vulnerability combinations identified in the HIPAA risk analysis.
Completing a HIPAA Risk Analysis is a good start – but it isn’t enough
There are two more aspects of the HIPAA Risk Analysis.
- The first is to make sure you follow-up on the threats and vulnerabilities your analysis reveals. Don’t be one of those organizations that develops knowledge about risks, and doesn’t take action timely to mitigate them.
- The second is employee awareness and training. A recent HIMSS Analytics survey of healthcare IT executives and professional reported 80% of them said employee awareness is their greatest security concern. Too often unauthorized hospital employee viewing pHI becomes an embarrassment and is costly!
Just two examples of where employee awareness can help minimize unauthorized disclosures of ePHI:
- When it is positively necessary to put ePHI on a laptop or a removable storage device, make sure employees know how to encrypt things like reports or spreadsheets – give them user-friendly tools to accomplish this.
- Emphasize all the time the risks of opening email from someone you don’t know. We all receive email from addresses we don’t immediately recognize. But we can warn employees not to open email purporting to tell them about a package they weren’t expecting or something they won in a contest they didn’t enter.
How often should you repeat a HIPAA Risk Analysis?
The OCR says the risk assessment process should be ongoing. After all there is a requirement to update and document security measures as needed. In practice, covered entities usually consider performing formal, documented HIPAA risk analyses annually. But CE’s and Business Associates should update their risk analysis anytime there are significant changes to the technology in use, or to the scope of business operations that impact the creation, transmission or usage of ePHI.
HIPAA breach disclosure requirements and notification rules need to be well understood. The OCR “Wall of Shame”, listing the reports of breaches of PHI involving 500 or more individuals added over 400 listings in the past two years. A HIPAA Risk Analysis can really be the ounce of prevention that avoids the cost of several pounds of cure!