Conducting Your HIPAA-Required Security Risk Assessment

A company based in the state of Pennsylvania that develops wireless technology that’s used to assist physicians in the care of their cardiology patients was recently fined in excess of $2 million for a HIPAA breach that occurred when the protected health information (PHI) belonging to nearly 1,400 individuals was compromised after a company employee’s laptop was stolen.  The Office for Civil Rights (OCR), the body within the U.S. Department of Health & Human Services (HHS) tasked with enforcing HIPAA’s privacy and security rules, found, specifically, that “[the company] had insufficient risk analysis and risk management processes in place at the time the theft occurred; failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [electronic] PHI (ePHI); and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities. (Code of Federal Regulations [CFR] 45 164.308(a)(1)).”  This article will discuss the processes of HIPAA risk analysis and risk management to educate providers in the outpatient wound clinic setting on how to better protect their patients’ PHI and ePHI. The authors will also describe the general process of the security risk assessment (SRA) and offer direction and resources for providers to utilize.  

APPROPRIATE RISK ANALYSIS & MANAGEMENT

Risk analysis [CFR 45 164.308(a)(1)(ii)(A)]¹ requires HIPAA’s covered entities (CEs), business associates (BAs), and their subcontractors to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The second part to this process is risk management [CFR 45 164.308(a)(1)(ii)(B)],¹ which requires CEs and BAs to take sufficient measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.” These processes together make up what is more commonly known as the SRA and resultant remediation plan. Your introduction to the required SRA probably came when you attested for your Meaningful Use dollars, which required you to conduct the same risk assessment and attest to its results. But you may not have realized that this risk assessment needed to be updated on a regular basis (typically annually), as well as when you have a change in the way you operate, or when a change to your information technology infrastructure occurs. It is also recommended that CEs review the relevant portions of their SRAs and, when a security incident occurs, look at what might have been missed in the risk assessment. 

When considering the requirements of the HIPAA security regulations, HHS allows organizations to take into account the organization’s: a) size, complexity, and capabilities; b) technical infrastructure, hardware, and software security capabilities; c) costs of security measures; and d) probability and criticality of potential risks to ePHI. Thus, an SRA will look somewhat different depending upon the size and type of practice. (Detailing how to complete an SRA is beyond the scope of this article.) 

SRA RESOURCES

While the regulations on how to conduct one’s risk assessment are agnostic, guidance from HHS,² along with generally accepted industry best practices, base risk assessment on requiring the assigning of both probabilities and the impacts of all vulnerabilities identified in the regulations by the U.S. Department of Commerce’s National Institute of Standards and Technology.³ While many resources are available to assist in conducting required SRAs, few practices have the internal expertise (or the resources to gain that expertise) to conduct an adequate risk assessment. The American Health Information Management Association (AHIMA) provides the following summarized general steps to completing an SRA.⁴ AHIMA also recommends getting all the key players in one’s organization together to work on an SRA. Here are the steps:

1. Take an inventory of the organization’s physical environment, current information systems, applications, medical devices, network, operating system, and hardware.
2. Using the inventory, identify security gaps or vulnerabilities in the policies and procedures, physical environment, current information systems applications, medical devices, network, operating system, and hardware.
3. Identify threats that might exploit the vulnerabilities. 
4. Determine the probability and criticality of threats exploiting the vulnerabilities. 
5. Propose controls for each area of risk. 
6. Estimate the level of residual risk that exists after the recommended controls are put into place.
7. Document everything associated with the risk analysis. Even if it is determined that one or more of the standards have very low risk given the environment, it is important to document how it is known that the risk is low.
8. Plan for ongoing risk management so that changes in the environment, systems, or any other factor are identified, and new threats and vulnerabilities are assessed. 

Just as with privacy, security is an ongoing effort. If this process sounds foreign and/or daunting, there are many tools available to help with the SRA. Given that there are 54 standards and implementation specifications in the HIPAA Security Rule that need to be addressed in the SRA, providers will want to take advantages of the available tools. Additional resources include: 

• HHS Security Risk Assessment Toolkit.⁵ HHS has provided an SRA operating system application that can run on Microsoft’s Windows or Apple’s Mac. This application walks the user through the process. Videos are available for additional training.  
• HIPAA Collaborative of Wisconsin (HIPAA COW) Risk Assessment Template.⁶ The HIPAA COW gives some excellent information that is downloadable. The worksheets include an example of HIPAA security policy, a risk analysis completion form, a thorough threat-source list, and an inventory asset list.  
• National Institute of Standards and Technology (NIST) Special Publication 800-30 (Rev.1).⁷ NIST provides guidelines for conducting risk assessments. This is a widely used resource to set the foundation for an SRA.  

Another option to consider would be to hire an advisor to oversee the HIPAA compliance process. 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com. Lorna L. Hecker is executive vice president and director of education and training at Carosh. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices, she is professor emerita of behavioral sciences at Purdue University Northwest, where she sat on the faculty of the marriage and family therapy master’s program. The author and/or editor of multiple mental health-related books, her most recent publication is HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (Loger Press).

References

1. CFR 164.308. HHS. Accessed online: www.gpo.gov/fdsys/pkg/CFR-2009-title45-vol1/pdf/CFR-2009-title45-vol1-sec164-308.pdf

2. Guidance on Risk Analysis. HHS. 2017. Accessed online:www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

3. Ross RS. Guide for Conducting Risk Assessments. NIST. 2017. Accessed online: www.nist.gov/publications/guide-conducting-risk-assessments

4. Amatayakul M. Kick starting the security risk analysis. J AHIMA. 2004; 75(7):46-7; quiz 49-50.

5. What is Risk Assessment? HealthIT.gov. 2013. Accessed online: www.healthit.gov/providers-professionals/security-risk-assessment

6. Risk Toolkit. HIPAA COW. 2013. Accessed online:https://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit

7. Computer Security Division, Information Technology Laboratory. Information Security. In: Guide for Conducting Risk Assessments. Accessed online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf