HIPAA Risk Analysis and Your Critical Starting Point
The HIPAA Risk Analysis is so important that it is the first item defined in the HIPAA Security Rule, a requirement since 2005. It forms the basis of your HIPAA compliance program, and should be updated annually or more often if something significant changes within your IT environment. The HIPAA Risk Analysis is the roadmap you must follow to secure electronic Protected Health Information (ePHI) to ensure that you do not breach its confidentiality, integrity, or availability.
Proof of the importance of the HIPAA Risk Analysis is that a similar requirement is in Meaningful Use attestation Core Measure 15 to receive funding through the EHR Incentive Program. Also, recent HIPAA enforcement actions have cited a missing or old HIPAA Risk Analysis as the basis for HIPAA penalties and large fines (over $ 1 million.) This is something you need to do— and do well.
Where is your data?
Before you begin your HIPAA Risk Analysis the first step is identifying all the ePHI within your organization, and how it moves within your systems and in and out of your systems. Depending on the size and scale of your organization, you may need to investigate multiple offices, a data center or online EHR provider, local area networks in your offices, wide area networks between offices, the Internet, and other methods of storing and moving data. To properly conduct the HIPAA Risk Analysis, you need both the IT skills and experience to view stored data and track the movement of electronic data.
Remember that ePHI includes any combination of a patient’s name and their diagnosis or treatment. Don’t think that it is all in your EHR system. It can be in any form – written, images, or voice files—and can hide anywhere in your technology environment, which is now expanded to smartphones, tablets, websites, e-mails, electronic fax systems, voice recorders, and portable storage devices.
The Risk Formula
To determine a risk you must first identify potential Vulnerabilities and Threats. Vulnerabilities are weaknesses in a system or process. Threats are actions that may act on the Vulnerabilities. Then you need to guesstimate both the Likelihood that a Threat will take place, and measure the anticipated Impact (negative result.) By combining all the variables into your HIPAA Risk Analysis you can determine if a Risk is Low, Medium, or High.
Once you identify your risks, you can then prioritize them and budget the resources required to avoid or mitigate risks in accordance with compliance requirements and your organization’s tolerance for risk. (Keep in mind the recent enforcements of HIPAA and consider any violations to be a High Risk.)
An example of a high risk would be the protection of your patient data files. If you had no backup (a vulnerability) then a hard drive failure or power spike (threats) may erase or damage your electronic patient records. The failure of a hard drive—which spins thousands of times per minute— can be expected (a high likelihood) and the negative effect on your business (the impact) could be huge, since you would no longer be able to access patient records. You may lose the records forever, putting patients at risk, violating accessibility and retention requirements, and lowering the value of your practice. So, it is easy to determine that you should backup your patient records because the impact of not doing it is so high. Other risks may not be as obvious, and the only way to determine them is to have complete and accurate information.
What are your Risk components?
Vulnerabilities— The HIPAA Security Rule is broken down into Administrative, Physical, and Technical Safeguards, and over 50% of the rules are Administrative. This is because people are the most vulnerable component of your computing environment. They make mistakes or may cause intentional data breaches. Other vulnerabilities include power, connectivity, unencrypted data, systems stored in unsecure locations, portable devices, access to systems and data, and unprotected software.
Threats— Threats can be natural or man-made. Human error, malicious behavior, lack of awareness and training, power failures, communications failures, equipment failures, theft or loss of data stored on devices, viruses and malware, and snooping are all examples of threats that can act on vulnerabilities.
Likelihood— Looking into a crystal ball won’t help, but you can ask experts familiar with technology equipment, your geographic region, and who have experience with similar organizations to yours. Technology experts typically rank equipment failure as a high likelihood. In many parts of the country weather events have interrupted business by causing power and communications failures. Internet services are likely to go down temporarily for many reasons. Theft and losses of laptops and other portable devices are common.
Impact— This can be measured in different ways, including life threatening emergencies, financial losses, liability, customer service failures, and compliance violations and related penalties. A good rule of thumb is that if the impact is high, an event that has a low likelihood of occurring must be considered.
Meaningful Use Security Risk Analysis (SRA)
Core Measure 15 for Eligible Professionals requires an SRA related to the electronic Protected Health Information stored in their EHR system. The guidance does not mention HIPAA by name, but does refer to the Code of Federal Regulations section for the HIPAA Risk Analysis. The SRA is focused on the data stored within your certified EHR system, but the assumption is that you have already implemented the HIPAA Security Rule safeguards. If you haven’t done a good job with HIPAA compliance, this can create a significant risk to your EHR data.
There has been a lot of confusion about the SRA based on incorrect information provided to practices. The US Department of Health and Human Services published a Myths and Facts document providing guidance. Two notable recommendations are that you may not use a simple checklist for your SRA, and that you should engage a professional if you want your SRA to survive and audit or investigation.
Key differences between HIPAA and Meaningful Use are that a HIPAA violation will usually be uncovered through one of the infrequent random HIPAA audits, or, also unlikely, as part of a data breach investigation. More frequent audits of practices attesting to Meaningful Use are taking place, and violations are being enforced through the federal False Claims Act.
Can you do this alone?
The HIPAA Risk Analysis is critical to your compliance program. You need it for HIPAA, to comply with Meaningful Use and avoid severe penalties, and to help you make the right decisions that will help you avoid or respond to a disaster. You need to get it right the first time.
The US Department of Health and Human Services offered this advice in response to someone asking if they needed an outside expert to conduct their Security Risk Analysis.
Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
Analyze the risks of doing your own HIPAA Risk Analysis and make a wise choice.
The newly published HIPAA Omnibus Rule requires every HIPAA Covered Entity to review or modify their security compliance programs. The 4MedPro HIPAA certified security team can help! Click Here to learn more.