What are the HIPAA Rules for a Risk Assessment?

HIPAA Rules Settlement physician

What are the HIPAA Rules for a Risk Assessment?  There have been significant new clarifications based on a recent settlement and resolution agreement (RA).

The HIPAA Rules for a Risk Analysis were clarified in a recent Resolution Agreement (RA). The RA was imposed in a recent settlement with Peachstate Health Management, and contained a few new provisions:

  • A corrective action plan (CAP) with a three-year monitoring period-this is one year longer than previous CAP’s imposed for HIPAA violations.
  • A requirement for the Covered Entity (CE) to hire an Independent Monitor to observe, report on, and make recommendations to the CE on ways to guard its Protected Health Information (PHI).
  • The requirements for the contents of a Risk Assessment were also set forth.

The Resolution Agreement also includes other provisions related to reporting breaches by employees, developing policies and procedures, and training staff members.


What part of the HIPAA Rules was clarified and interpreted?

In a recent blog about HIPAA Risk Assessments, we noted the Office for Civil Rights (OCR) of the Health and Human Services Department has NOT DEFINED the content of a HIPAA Risk Analysis.  OCR did publish a Security Risk Assessment Tool that Covered Entities (CEs) could use to perform a Risk Assessment in 2018.  It was not something Covered Entities were required to use.


What are the HIPAA Rules affected by this New Settlement?

The Resolution Agreement with Peachstate Health Management shows in general detail what OCR is considering adequate HIPAA Risk Assessment guidance. The contents of a Risk Analysis must include:

  • A comprehensive, enterprise-wide risk analysis of security threats and vulnerabilities.
  • It must cover all electronic PHI (ePHI) created, received, maintained or transmitted by the Covered Entity.
  • It must address all electronic media, workstations, and information systems owned, controlled, or leased by the CE which can store or can access ePHI.
  • The Covered Entity must develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI.

Furthermore, the CE must get the Risk Analysis approved by HHS. It must update the Risk Analysis annually or any time there are environmental or operational changes affecting the security of ePHI.

It is easy to see why all of these requirements were specified in the Risk Analysis description.  In the past, CEs have reported unauthorized disclosures where a risk assessment did not cover all equipment or systems containing ePHI. Naturally, that is where the breaches happened.


How does the issuance of this recent RA compare to other HHS-imposed settlements?

The requirement for an independent monitor is very similar to the terms the HHS Office of Inspector General imposes on providers who are offered a Corporate Integrity Agreement (CIA). The Centers for Medicare and Medicaid (CMS) offers CIAs to providers who have run afoul of regulations.  This may include:

  • regulations on billing and coding of services,
  • financial arrangements between Designated Health Services, like hospitals or laboratories, and referring physicians, and
  • pharmacy manufacturers who market their products inappropriately or even pay kickbacks to prescribing providers.

All CIAs require the provider to retain and pay for an Independent Review Organization (IRO), which audits the performance of the provider with respect to various provisions in the CIA.

There is one major difference between the duties of an IRO vs. the Independent Monitor in the RA. An IRO cannot give advice or provide services to assist the provider with complying with the terms of the CIA. In effect, the IRO is auditing its own performance. It remains to be seen how the Independent Monitor maintains its independence in monitoring the provider in an RA.


What should you do?

Are you a provider who has never conducted a HIPAA Risk Assessment?  Have you annually reported unauthorized disclosures of PHI? Have you received letters from the OCR after a patient complaint about their privacy?  Any of these circumstances put you at risk for an audit by the OCR.  It is way past time to get on with a HIPAA Risk Analysis!  You can get a HIPAA checklist on how to conduct a HIPAA Risk Assessment here.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.