Deeper Than the Headlines: HIPAA Security Risk Analysis

It’s that time of year! Everyone is running around trying to complete their 2017 HIPAA Security Risk Analysis as required under Meaningful Use and/or MACRA. If your organization took incentive money to implement an electronic health record (EHR), then one of the requirements your organization must certify to is that you completed an annual Security Risk Analysis.

Not doing so puts your incentive dollars at risk (especially since the OIG has it on their Work Plan to audit this requirement). But more importantly, it can put your ePHI as risk which not only hurts your patients and reputation, it can bring additional fines from the OCR. Case in point is a $400,000 settlement an FQHC entered into with OCR earlier this year. The primary reason cited by the OCR was failure to complete a security risk analysis. And by failing to identify the risks, they fell victim to some of them.

OCR investigated the FQHC after it filed a breach report due to a hacker accessing employees’ email accounts and obtaining 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed the clinic took necessary corrective action related to the phishing incident; however, the investigation also revealed the clinic failed to conduct a risk analysis until a month after the incident. In addition, prior to the breach incident, the clinic had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When the clinic finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the HIPAA Security Rule.

The clinic agreed to sign a Resolution Agreement as well as a Corrective Action Plan (CAP). Reviewing CAPs provides other clinics, hospitals and physician practices important insight into key components the OCR expects of HIPAA compliance programs. Some of these key components include:

Risk Analysis:

• Conduct a current, comprehensive, and thorough Risk Analysis of security risks and vulnerabilities to include all of its current facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned, that contain, store, transmit, or receive electronic protected health information ("ePHI").
• Review the Risk Analysis annually (and more frequently, if appropriate) and promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI.
• Following an update to the Risk Analysis, assess whether its existing security measures are sufficient to protect its ePHI, and revise its Risk Analysis, Risk Management Plan, Policies and Procedures, Training Materials, and implement additional security measures, as needed.

Develop and Implement Risk Management Plan:

• Develop an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis.
• The Risk Management Plan shall include a process and timeline for implementation, evaluation, and revision of its risk remediation activities.

Review and Revise Policies and Procedures:

• Review and, to the extent necessary, revise, current Security Rule Policies and Procedures ("Policies and Procedures") based on the findings of the Risk Analysis and the implementation of the Risk Management Plan.
• Policies and Procedures must comply with the HIPAA Security Rule.
• Begin implementation of the Policies and Procedures and distribute the approved Policies and Procedures to the relevant and appropriate workforce members.

Review and Revise Training Materials:

• Review and, to the extent necessary, revise, current Security Rule Training Materials ("Training Materials") based on the findings of the Risk Analysis and the implementation of the Risk Management Plan, as well as any revisions to the Policies and Procedures.
• Training Materials must comply with the HIPAA Security Rule.
• At least every 12 months, administer a Security Rule Training Program, containing the Training Materials, to each workforce member who has access to ePHI.
• Provide such training to each new member of the workforce who has access to ePHI within thirty (30) days of their beginning service.
• Each workforce member who is required to participate in the training program shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date the training was received.
• All course materials shall be retained.

Reportable Events:

• Upon receiving information that a workforce member may have failed to comply with its Policies and Procedures, promptly investigate the matter.
• If it’s determined, after review and investigation, that a member of its workforce has failed to comply with these Policies and Procedures, report such events to HHS. Such violations shall be known as Reportable Events.
• The report to HHS shall include the following information: a. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of the Policies and Procedures; and b. A description of the actions taken and any further steps planned to be taken to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with its Policies and Procedures.

Though the above components are specifically only required in this CAP, for this clinic, following these principles can help others develop and maintain a robust HIPAA Security Compliance Program.