The Department of Health and Human Services (HHS) announced on March 3rd that a healthcare provider from Utah would pay a fine of $100,000 to the HHS, and would carry out corrective actions to better their compliance practices. The HHS OCR investigation of the provider’s compliance practices was the result of a complaint filed by the provider against their EHR vendor. As per the complaint, the vendor was holding patient health information (PHI) hostage until the doctor paid them $50,000.
The OCR investigation found that the healthcare provider had neither conducted risk analysis, nor had appropriate security measures in place for dealing with such a risk.
Was this a preventable incident?
The HHS OCR investigation revealed that the healthcare provider had failed to implement sufficient security measures to keep the patient health information safe. As per the HHS brief, the healthcare provider had never conducted a risk analysis and had failed to implement sufficient security measures to protect the patient information.
As per the OCR director, Roger Severino risk analysis is one of the most basic HIPAA requirements.
Unfortunately, failure to perform adequate risk analysis is also one of the most common HIPAA violations. Majority of the largest fines are attributed to organizations failing to identify potential risks to patient health information.
In this article, we’ll share a simple outline of what risk analysis is, why it’s important for you, and the steps involved.
Why HIPAA insists on Risk analysis?
For complying with the Administrative Safeguards provisions in the Security rule, all covered entities need to conduct risk analysis on an ongoing basis to identify and mitigate risks to patient health information (PHI).
Covered entities are required to protect all PHI created, received, maintained or transmitted by them against all reasonably anticipated threats or hazards. The security rule requires that the covered entities must evaluate the risks and vulnerabilities in their working environment, which could lead to a threat or hazard. And, it must be done on an on-going basis.
For example, vulnerabilities in your working environment could trigger a security breach leading to the loss of PHI. Similarly, unforeseen events, like tornadoes and floods too can lead to the loss of PHI.
It is to account for such devastating possibilities, that the Security Rule requires that the covered entities must have a security program for the protection of the PHI. The security program should be capable of reducing the risk to the PHI to a reasonable and appropriate level.
Why is risk analysis so important?
Consider conducting a risk analysis as the first step towards achieving HIPAA security rule compliance. It’s a kind of a check-up of your organization to ensure that the Patient data in your healthcare system is flowing smoothly and to identify the potential weaknesses in your information flow, which could or may lead to the unwarranted disclosure of patient information.
Risk analysis is a standard information security process and is critical to the Security Rule compliance efforts. By helping to determine which security measures are reasonable and appropriate for a CA, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
Risk analysis is generally viewed as a technique used to identify and assess the risks that may put the patient health information (PHI) at risk. To list it in four steps, this is what your risk analysis is about:
- Identifying the potential risks to the PHI
- Identifying the potential severity of such risks
- Identifying the probability of occurrence of the risks
- Documenting your finding
How to conduct the risk analysis of your healthcare practice
Here’s a method which you could use for conducting risk analysis of your health information system.
1. Identify the scope of risk analysis
First step is to understand how patient health information (PHI) flows in and out of your health information system. This includes how the PHI is handled within your organization.
What’s expected of you?
Identify the potential risk and vulnerability to the patient data that your organization handles.
What you need to cover?
In terms of PHI, you must consider all possibilities which could compromise any or all of the following three aspects of patient’s information:
- Availability, and
The scope should include:
- PHI that you create,
- PHI that you receive,
- PHI that you must keep, and
- PHI that you transmit to your business associates or other covered entities
Remember, your risk analysis needs to account for patient health information in all forms that flows through your system, including the possibility of PHI leakage outside of the health information system when you recycle documents or send devices for destruction.
2. Gather data
Once you have identified the scope, the next step is to gather and document data, which concerns the flow of patient data in your health information system.
- Identify where you store your data – it should include the physical locations and electronic devices that you use for the purpose.
- Look at how you receive, use, store and transmit patient information.
- This includes information about all the facilities that you use, including in-house servers, leased devices and third-party cloud storage facilities.
- This should include the information on your vendors, business associates, and all instances where you have to disclose patient data.
3. Identify and document potential threats and vulnerabilities
Now, it’s time to analyze the information for the following two purposes:
- For identifying all possible vulnerabilities, and
- For identifying potential threats, which could trigger or exploit the identified vulnerabilities.
It’s necessary for covered entities to document all the threats and vulnerabilities that could pose a reasonable risk to patient health information. This should include all anticipated human, cyber and natural threats, and vulnerabilities.
4. Assess and list current security measures.
The next step is to analyze the security measures that you already have in place for the safeguarding of PHI. Your documentation should list all existing measures. The goal of this step is to:
- Identify if the required security measures are already in place.
- Understand if the measures in place are appropriate.
- If the measures are being used properly.
- If your controls are configured properly.
5. Determine the likelihood and potential impact
Once you are through the four steps above, you would have a good understanding of:
- Your assets, processes and operations,
- How you use patient information,
- Potential threats,
- Vulnerabilities, and
- Your security system
This information can now be used to determine the risk to your health information system. Here is what you need to determine:
- Potential impact
In this step, you need to consider various combinations of potential threats and vulnerabilities. Rate each combination against the likelihood of its occurrence.
Consider the potential impacts to your organization and the patient data in case of a security incident.
Document all such potential impacts. Rate the potential impact against the likelihood of the occurrence of that threat-vulnerability combination which could affect the PHI.
6. Determine the level of risk.
Now, it’s time for you to determine the level of risk to PHI because of a security incident. Analyze the likelihood of a security incident and its potential impact for determining its level or risk.
Document all threat-vulnerability combinations along with their potential impact, the level or risks and a set of corrective actions.
7. Identify security measures
Once you have determined the level of risk for each possibility, begin identifying possible security measures, which could help you reduce the level of risk associated with them.
As we mentioned earlier, mitigating risk is an ongoing process – you need to conduct risk analysis as frequently as necessary. Threats change with time, and every time you adopt a new technology or change your business process; the PHI within your organization becomes vulnerable to attacks and accidents – and it can leave you open for non-compliance.
Here are some questions for our readers. What steps did you use when conducting risk analysis for your healthcare practice? Which security measures did you identify? Please share your response in the comments section below. We’d love to learn from your experience.