In part four of our HIPAA Security series, we will take a closer look at the requirements to perform a HIPAA Security Risk Analysis and have a Risk Management Plan as part of the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement a management plan to address those risks and vulnerabilities.
Failure can cost you
An orthopedic clinic in Georgia agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.
The issue began when a hacker contacted the clinic and demanded money in return for a complete copy of the database they had stolen. The clinic determined that the hacker used a third-party vendor's credentials to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for more than a month.
The OCR's investigation discovered longstanding systemic noncompliance with the HIPAA Privacy and Security Rules by the orthopedic clinic, including failures to conduct a risk analysis and implement risk management controls.
Risk Analysis — OCR Nationwide Audit Results
Unfortunately, this clinic is like many other entities who are required to follow the HIPAA Security Rule. They often fail to perform an enterprise risk analysis and implement a risk management plan. In fact, when the OCR performed their nationwide audit of a sample of entities required to follow the HIPAA Security Rule, they found that only small percentages of covered entities (14%) and business associates (17%) were substantially fulfilling their regulatory responsibilities to safeguard electronic PHI (ePHI) they hold through risk analysis activities.
Some of the common errors the OCR found included failure to:
- Identify and assess the risks to all the ePHI in their possession
- Develop and implement policies and procedures for conducting a risk analysis
- Identify threats and vulnerabilities to consider their potential likelihoods and impacts and to rate the risk to ePHI
- Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event
- Conduct risk analyses consistent with policies and procedures
Sometimes entities fail to comprehend their individual accountability to perform an enterprise risk analysis. They may mistakenly believe that an electronic medical records vendor or their contracted IT services are primarily responsible. This is not the case. In their audit, when the OCR requested documentation of an entity’s HIPAA security risk analysis, providers commonly submitted documentation of some security activities of a third-party security vendor, but no documentation of any risk analysis. Or, in some cases, entities offered third-party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation.
Risk Management--OCR Nationwide Audit Results
Unfortunately, many entities feel that they are done once they’ve performed a HIPAA Security Risk Analysis. Though that step is essential, it is only the beginning. Once risks have been identified, they must be managed. Managing some risks might be more urgent than others. Prioritizing and developing a management plan, or project management plan, which identifies the steps the entity will take to mitigate the identified risks is the next step after the risk analysis is complete.
In regard to risk management steps, HHS has stated, “Risk management, required by the Security Rule, includes the implementation of security measures to reduce risk to reasonable and appropriate levels to, among other things, ensure the confidentiality, availability, and integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the HIPAA Privacy Rule.”
The OCR’s audit results demonstrated that 94% of covered entities and 88% of business associates failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Some of the key findings included:
- Entities lacked the necessary focus on technical safeguards (access controls, audit controls, etc.) needed to properly protect the confidentiality, integrity, and availability of ePHI.
- The policies and procedures provided in support of the risk analysis and risk management requirements indicate entity misunderstanding of the importance of determining acceptable levels of risk, what specific vulnerabilities were applicable to their environment, or how to mitigate the risks or vulnerabilities to ePHI throughout their organization.
- In some instances, encryption was included as part of a remediation plan, but was not carried out or was not implemented within a reasonable timeframe.
- One entity had implemented an appropriate risk management plan a few years earlier but failed to conduct any updates since that time.
The bedrock foundation of a HIPAA Security compliance program is regular performance of an appropriate HIPAA Security risk analysis and development of a management plan. There have been numerous settlements with OCR when entities have not completed these requirements. In one OCR settlement, where the entity paid $3.5 million, the OCR director stated, “…there is no substitute for an enterprise-wide risk analysis for a covered entity.” Indeed, there is no substitute.
Hopefully, this four-part series has been helpful in learning more about the HIPAA Security Rule and some of its requirements. If you feel like you need help addressing these issues, Healthicity’s team can help. Visit our advisory team's page to learn more and get in touch with an expert consultant.
You can review the other HIPAA Security Rule eBriefs here:
Download this blog as a PDF, click the button below.