What’s Beyond the Assessment?
HIPAA is that long and complicated story that began in 1996, narrowly focusing on Privacy and Administrative Simplification for most of the early years. Along came the HITECH Act and suddenly, HIPAA Security, that long-languishing detail of the HIPAA narrative, became the focus of the saga. Make no mistake; it is an ongoing saga, and one the Omnibus Final Rule sought to clarify. Slow adoption of electronic medical records by the provider community, lulled the healthcare industry into simply ignoring fundamental business practices that would have reduced risk and provided compliance with both Privacy and Security requirements.
All providers are bound by HIPAA and the HITECH Act. For providers who are hoping to attest to Stage 1 ‘’Meaningful Use’ and for those who have already attested, it is easy to see why so many believe they can satisfy the Core Set 15 measure by simply completing a checklist of HIPAA Security requirements, because HIPAA does not require that a specific method be used to accomplish a risk assessment. Indeed, HHS continues to narrowly reinforce the need for this first step simply because so few healthcare providers have accomplished it. Some providers have been lead to believe that a self-assessment using a checklist is sufficient to satisfy the requirement under HIPAA and HITECH.
The Office of Civil Rights (OCR) is charged with enforcing the HIPAA Rules. Their published audit protocol requires them to analyze the methodology used to accomplish a risk assessment, but also looks at the steps taken to implement policies and procedures that assure the privacy and security of electronic protected health information (ePHI) and evaluate the rigor of the ongoing risk management activities. When CMS investigates beach complaints, they are also going well past the assessment to determine the reasonableness of the steps taken to secure PHI.
There seems to be widespread misunderstanding of the terms regarding risk: risk analysis, risk assessment and risk management. A FAQ on the HHS web site provides an excellent definition of these terms:
“Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic protected health information (e-PHI) held by a covered entity, and the likelihood of occurrence. The risk analysis may include taking inventory of all systems and applications that are used to access and house data, and classifying them by level of risk. A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage. Risk management is the actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its e-PHI and to meet the general security standards.”
And, from the HITECH Act, the requirement is expressed this way (emphasis added):
“Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
Much to their chagrin, business associates of covered entities are also required to comply with these requirements. There is now shared accountability and shared liability for breaches of PHI.
So, the inadequacy of a simple checklist is apparent, especially if that checklist does not provide a way for the entity to prioritize needed remediation work based on their vulnerability to gaps in compliance. The clear expectation is that a true risk management program be implemented by both covered entities and their business associates, based on findings revealed through risk analysis.
The value obtained from a well-designed risk management program will almost always struggle to demonstrate a hard return on investment. However, you likely invest in risk avoidance by insuring against general business and clinical risk, which only yields a return if it is needed to save your business. Privacy and security risk management is the 3rd leg of the stool. Implementing reasonable and appropriate business practices yields a similar return on that investment. Simply put, you maintain patient trust, secure your reputation, avoid financial ruin, and can demonstrate compliance with HIPAA.
Prior to the frequent announcements of major breach incidents, patients assumed their medical provider properly secured their protected health information. The new reality is that patients will now demand that providers protect their healthcare information with the same level of diligence that their banks learned long ago was required to secure financial information. Indeed, there is much beyond the risk assessment.
Susan Pretnar is the President of KeySys Health, LLC.