The Health Insurance Portability and Accountability Act (HIPAA) mandates that both Covered Entities and Business Associates conduct a HIPAA risk assessment. These requirements are mentioned twice in the Administrative Simplification provisions of HIPAA. However, organizations may need to go beyond these requirements and conduct additional risk assessments.The first requirement to conduct a HIPAA risk assessment can be found in the Security Rule (45 CFR § 164.308 - Security Management Process). This rule directs Covered Entities and Business Associates to perform a comprehensive assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).The second requirement is outlined in the Breach Notification Rule (45 CFR § 164.402). This standard applies only in cases where there has been an unauthorized acquisition, access, use, or disclosure of unsecured protected health information (PHI) in any format. In such instances, conducting a HIPAA risk assessment becomes necessary to determine whether the event needs to be reported to the U.S. Department of Health and Human Services (HHS) and the affected individuals.
While the Security and Breach Notification Rules require a HIPAA risk assessment, it's important to recognize that there are additional risks to the confidentiality, integrity, and availability of PHI when it is not in electronic form. For instance, unauthorized disclosures can occur through verbal communication or when printed medical reports are left unattended in public areas. Therefore, it may be necessary to conduct a comprehensive HIPAA privacy risk assessment that also considers risks to non-electronic PHI, individuals' access rights to their PHI, Business Associate Agreements, and other Organizational Requirements under HIPAA."
The purpose of a HIPAA security risk assessment is stated in the General Rules (CFR 45 § 164.306) that come before the Administrative, Physical, and Technical Safeguards of the Security Rule. The objectives are as follows:1. Ensure the protection of electronic PHI (Protected Health Information) created, received, maintained, or transmitted by the Covered Entity or Business Associate, in terms of confidentiality, integrity, and availability.2. Guard against any reasonably anticipated threats or risks to the security or integrity of such information.3. Prevent any unauthorized use or disclosure of such information, as per the regulations outlined in subpart E of this portion (the Privacy Rule).4. Ensure the workforce's compliance with the Security Rule through training and the implementation of a sanctions policy.It should be noted that the implementation of the Administrative, Physical, and Technical Safeguards allows for some flexibility in approach. However, it is crucial to implement all standards unless an alternative measure is both reasonable and appropriate. The final portion of the Security Rule pertains to Business Associate Agreements and other Organizational Requirements. Covered Entities are required to ensure that their Business Associate Agreements mandate compliance with the Security Rule and the reporting of security incidents (not limited to data breaches) to the Covered Entity. Even though the standard in 45 CFR § 164.314 specifically applies to group health plans, all Covered Entities involved in hybrid, affiliated, or OHCA (Organized Health Care Arrangement) arrangements should also review the details of this standard.
The second HIPAA risk assessment, which is labeled as "required," is actually not mandatory. According to the Breach Notification Rule, any unauthorized access, use, or disclosure of PHI is presumed to be a breach, unless it can be demonstrated through a risk assessment that there is a low probability of compromise. This assessment must consider several factors, such as the nature and extent of the breached PHI, the types of identifiers involved, the likelihood of reidentification, and the identity of the unauthorized person involved. Additionally, it should determine if the PHI was actually acquired or viewed and assess the extent to which the risk has been mitigated.While the HIPAA breach risk assessment is technically optional, Covered Entities and Business Associates have the choice to skip it and instead notify every unauthorized activity involving PHI. However, there are drawbacks to this approach. It could lead to business disruption if the Office for Civil Rights of HHS suspects an organization to have an above-average number of data breaches and decides to conduct a compliance review. Moreover, frequent breach notifications could erode trust among the individuals served by the organization. This is especially concerning if these individuals are advised to take unnecessary measures to protect themselves against fraud, theft, or loss due to PHI that was not actually acquired or viewed during the breach.Therefore, it is advisable to conduct a HIPAA breach risk assessment, even though it is described as optional. This assessment can help prevent unnecessary notifications and potential disruptions, ensuring compliance with HIPAA regulations.
Many Covered Entities and Business Associates tend to overlook the importance of conducting a HIPAA privacy risk assessment, even though it is mandated by the HIPAA Security Rule. While a security risk assessment is commonly conducted, a HIPAA privacy risk assessment is equally essential, although it can be more time-consuming depending on the organization's size and business nature. To carry out a thorough HIPAA privacy risk assessment, an organization should appoint a Privacy Officer whose initial task is to understand the organization's workflows and assess how the requirements of the HIPAA Privacy Rule impact their operations. The Privacy Officer should then identify both internal and external flow of PHI (Protected Health Information) to conduct a gap analysis and pinpoint potential breach points. The final stage of the assessment involves developing and implementing a HIPAA privacy compliance program, including policies that address the identified risks to PHI. The program should be regularly reviewed and updated as new work practices or technologies are introduced. As per the requirement outlined in 45 CFR § 164.530, all employees must receive training on any policies and procedures resulting from the HIPAA privacy risk assessment, as well as when significant changes affect their roles. Rather than viewing this training as a checkbox exercise, Covered Entities and Business Associates should consider it as a risk mitigation strategy because well-trained staff are less likely to make HIPAA errors.
The severity of fines for failing to comply with HIPAA regulations has historically been assessed based on the number of affected patients and the level of negligence involved. In the past, there were few fines imposed in the category of "Did Not Know" violations, as it is expected that organizations should be aware of the legal requirement to protect patients' personally identifiable health information (PHI). However, recently, the majority of fines fall under the category of "Willful Neglect" violations, where organizations were aware or should have been aware of their responsibility to safeguard PHI. Some of the largest fines, such as the $5.5 million fine imposed on the Advocate Health Care Network, are a result of organizations failing to identify potential risks to the security and privacy of PHI.
Furthermore, it is essential to note that fines have been imposed for potential violations of Protected Health Information (PHI) since the commencement of the second round of HIPAA audits. These fines are related to situations where an organization's security weaknesses were not uncovered during a HIPAA risk assessment or when no assessment was conducted at all.For instance, in March 2016, North Memorial Health Care of Minnesota settled HIPAA violation charges and paid over $1.5 million in relation to this matter.
Even though most news headlines about HIPAA violations focus on large medical organizations facing hefty fines for non-compliance, it is essential to recognize that numerous small medical practices also undergo investigations by the Office for Civil Rights (OCR) or face HIPAA audits. Since 2003, OCR has received over 300,000 reports of alleged HIPAA violations. However, it is worth noting that less than 2% of these reports involve data breaches affecting 500 individuals or more.Small and medium-sized medical practices encounter a significant challenge when it comes to HIPAA breaches, as not all insurance carriers cover the expenses associated with such incidents. The costs go beyond possible fines and may include hiring IT specialists to investigate the breach, repairing public trust, and providing credit monitoring services for affected individuals. Moreover, insurance coverage can be limited based on the type of HIPAA violation and the level of negligence involved. Consequently, a HIPAA breach cost has the potential to force a small medical practice to close its doors.Yet, this worrisome scenario can be avoided by conducting a thorough HIPAA risk assessment and implementing measures to address any identified issues. While performing an assessment might be complex and time-consuming, failing to do so could prove fatal for small medical practices and their Business Associates.
All entities that handle PHI must conduct a thorough risk assessment to comply with the HIPAA Security Rule. This is not limited to medical facilities and health plans; it also includes business associates, subcontractors, and vendors. Failure to comply can result in fines issued by OCR for potential breaches of PHI. OCR takes these risks seriously, as evidenced by their revelation in 2014 that 40% of HIPAA breaches involving more than 500 patient records were due to negligence by business associates. In 2016, they issued their first fine against a business associate, the Catholic Health Care Services of the Archdiocese of Philadelphia, who agreed to pay $650,000 following a breach of 450 records. It was found that the organization had neglected to conduct a risk assessment since 2013. While it may seem that the proportion of data breaches caused by non-compliant business associates has decreased, this may not be the case. The responsibility to notify HHS and affected individuals of a breach lies with the covered entity, so many breaches attributed to covered entities may actually be the fault of business associates.
An organization's security can be assessed through a HIPAA risk assessment, which highlights any areas that need attention. After identifying weaknesses and vulnerabilities, an organization must create a risk management plan to address them effectively. By prioritizing vulnerabilities based on assigned risk levels, organizations can focus on closing the ones most likely to result in a breach of PHI. This involves developing a remediation plan that includes implementing new procedures and policies, especially for critical vulnerabilities. Additionally, workforce training and awareness programs should complement the remediation plan. It's worth noting that a lack of or inadequate procedures and policies often lead to failed HIPAA audits for Covered Entities and Business Associates. Hence, it is crucial to enforce necessary changes to workflow by implementing appropriate procedures and policies resulting from the HIPAA risk assessment.
The areas where risks are typically found depend on the specific organization and its activities. For instance, a small medical practice may face a higher risk of unintentional disclosure of information during personal interactions, whereas a large healthcare group may face a greater risk of data breaches resulting from misconfigured cloud servers.
In order to protect the privacy of health information and the integrity of PHI, it is crucial to consider both external threats and internal mistakes caused by human error or lack of training. A reasonably anticipated threat encompasses any foreseeable danger to the confidentiality, integrity, or availability of individually identifiable health information. To effectively identify such threats, taking a comprehensive view of organizational workflows becomes imperative.
In distinguishing a risk assessment from a risk analysis, it is important to note that a risk assessment focuses on pinpointing the risks that may threaten HIPAA compliance, while a risk analysis takes it a step further by assigning levels of risk based on combinations of vulnerability and impact. The purpose of assigning risk levels to each identified risk is to prioritize tackling those that have the potential to cause the most harm. In the context of HIPAA, many risk analyses employ a qualitative risk matrix to conduct their evaluations.
Typically, the duty of performing a HIPAA security risk assessment falls on the shoulders of a HIPAA Compliance Officer. However, in cases where the responsibility for HIPAA compliance is divided between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be carried out by the HIPAA Security Officer, with support from their colleague depending on the specific risks identified.
There is no distinction in the types of risk assessment for covered entities and business associates. It is imperative for both covered entities and business associates to carry out comprehensive risk assessments for all Protected Health Information that is generated, utilized, or stored. Despite handling potentially lower volumes of PHI compared to covered entities, business associates must conduct equally meticulous and well-documented risk assessments.
Organizations that fall under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) are required to conduct a HIPAA risk assessment. This assessment ensures compliance with the 'Security Management Process' requirements. Failure to fulfill this obligation under HIPAA has resulted in legal actions being taken against non-compliant organizations.
A HIPAA risk assessment and a HIPAA compliance assessment serve distinct purposes. While a risk assessment focuses on identifying potential threats and vulnerabilities, allowing necessary actions to be taken to reduce their likelihood, a compliance assessment evaluates an organization's adherence to the HIPAA Privacy, Security, and Breach Notification Rules. Typically conducted by a third party, a compliance assessment aims to determine if the organization is following the necessary guidelines set forth by HIPAA.
A HIPAA risk assessment is required in two situations. The initial instance can be found in the Security Rule (45 CFR § 164.308 - Security Management Process). The second instance arises from the Breach Notification Rule (45 CFR § 164.402), which comes into play when there is an impermissible acquisition, access, use, or disclosure of unsecured PHI. However, it is advisable for organizations to conduct risk assessments more frequently than these mandated requirements, especially in relation to non-electronic PHI and organizational needs.
The main goal of a HIPAA security risk assessment is to pinpoint potential risks that could compromise the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI) handled by the Covered Entity or Business Associate. This assessment doesn't solely target external threats, but also considers any risks posed by malicious insiders or a lack of security awareness training within the organization.
In a risk assessment for a HIPAA breach, several factors are taken into account. These include analyzing the nature and extent of the compromised PHI, evaluating the types of identifiers involved and the probability of re-identification, assessing the unauthorized individual who accessed or utilized the breached PHI, determining if the PHI was actually acquired or viewed, and gauging the level of mitigation undertaken to minimize the risk to the PHI.
Failing to identify risks to PHI in a risk assessment can have severe repercussions. It greatly raises the chances of a data breach or unauthorized disclosure, which, if it occurs, could result in sanctions imposed by HHS' Office for Civil Rights. There are no valid excuses for neglecting to conduct a thorough risk assessment, as both covered entities and business associates have a clear obligation to protect PHI and are aware of this responsibility.
Business associates must adhere to HIPAA risk assessment requirements, which include compliance with the Security and Breach Notification Rules. These regulations outline two HIPAA standards specifically related to risk assessments. Additionally, business associates are strongly advised to perform risk assessments specifically pertaining to the Privacy Rule if their activities for a covered entity could potentially compromise the privacy of individually identifiable health information.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you