Podcast: Best Practices for Your Annual HIPAA Risk Assessment

It’s December, and you know what that means: It’s time to make sure your organization is HIPAA compliant! I imagine after you read those words you either breathed a sigh of relief (because you’ve completed your annual HIPAA risk assessment), or you suddenly felt a sense of panic (because you’ve only got a few weeks to get it done).

Either way, in the spirit of HIPAA season, we decided to turn the tables on Dr. CJ Wolf, our resident HIPAA expert. In this latest episode of Compliance Conversations, What You Must Do to be HIPAA Compliant in 2020, we had our very own SVP, Jeremy Schow, sit down to interview CJ and discuss all things HIPAA. And he had a lot to say.

“The number one reason we do a risk assessment is it's a requirement. Number two though, it's good practice, right? We're in the business of helping patients, and we want to keep that information private and confidential. So, it's a good business practice,” CJ observed, before going on to answer all sorts of questions around HIPAA, including:

• Should I Conduct an Assessment Every Year?
• How Do I Conduct an Effective HIPAA Risk Assessment?
• What are Some Common HIPAA Mistakes I Should Avoid?

Whether you’ve completed your assessment or not, there’s a ton of sage advice CJ had to offer our listeners.

Episode Transcript

Jeremy: Hello everyone, and welcome to this week's episode of Compliance Conversations. My name is Jeremy Schow, and I'm the Sr. Vice President of Sales here at Healthicity. I'm going to be filling in for CJ Wolf this week. I know you're all sad because you're probably going to be missing CJ. I actually have a very, very, special guest to introduce to you. I'm actually going to be turning the tables here a bit on you and introduce to you Dr. CJ Wolf, surprisingly. Hey CJ, how are you today?

CJ: Hi! Oh, it's so exciting to be on a podcast, I've never been on one before, you know.

Jeremy: I imagine this is very different for you.

CJ: Yes, thank you for filling in for me.

Jeremy: Absolutely. I thought it would be fun for our guests to actually hear from you, you know, and all of your expertise. I know in the past, the way you usually start is to have people tell a little bit about themselves and their background. Would you do our guests the favor of telling them about you and your past, your history in compliance?

CJ: Yeah, absolutely. We always joke that no one, none of our guests grew up thinking they wanted to be a Compliance Officer. Who knows about that, who would want to do it?

Jeremy: But you did!

CJ: I did, but I didn't know it as a kid. I think most of our guests know that I come from a clinical background. I started in medical school and finished medical school, and towards the end of medical school knew that I didn't really want to practice medicine. I loved healthcare administration, I loved kind of the whole process, of how patients are taken care of and how the system can help them. Clinical medicine wasn't really, I don't think for me personally. You got to love that stuff to go through all those hoops. I did love the science, and I loved kind of the healthcare piece, and I looked for, after finishing medical school, I was looking for opportunities that would allow me to stay in healthcare, use a little bit of my clinical background. Intermountain Healthcare, a large system here in Utah, was looking for someone dumb enough to try to teach Dr.'s about medical compliance, and I must have been dumb enough, because I didn't know what Medicare compliance meant. I knew that I liked to teach, and they said it was a lot of teaching and people used their clinical background, and I jumped into it, both feet, and loved it. I started off at Intermountain Healthcare just teaching Dr.'s about Medicare compliance, documentation. Coding and billing is really where I started, became a certified coder, and kind of started down that road. Over the years progressed in my career and wanted to do something a little bit more than coding and billing. I took a job with MD Anderson Cancer Center in Houston, Texas, and worked in their compliance office. They are a part of the University of Texas system, and so I moved from MD Anderson to the System offices in Austin and worked with the medical institutions and also the academic universities throughout the state in that system. From there I came back to Utah, working for an International Medical Device company as their Compliance Officer, and then had this opportunity at Healthicity.

Jeremy: And boy are we glad that you took it.

CJ: Yeah, thank you, it's been great!

Jeremy: All of us on Compliance Conversations have been really glad that you took it too.

CJ: I love the opportunity to be able to pontificate about compliance. I know some of you kind of get sick of it, but you can just turn the off button on when that's the case, but thanks for having me on the show Jeremy.

Jeremy: Absolutely. And you know, CJ, as all of our guests and listeners around the world know. This time of year there's a big topic, Risk Assessment, and in particular, HIPAA Risk Assessment, and that's the topic we'll be talking about today.

CJ: Very good.

Jeremy: One of the first questions that popped up when we were scanning and asking the questions is hearing about HIPAA risk assessments, especially this time of year. The first question is, what are they, and what should we do about them?

CJ: Yeah, we get that a lot, don't we, Jeremy, when talking to our clients? People that are using our software and people that are just wanting our consulting help, what are HIPAA risk assessments? I think the audience, there's a broad spectrum of folks out there, risk assessments, and if we're going to stick to HIPAA risk assessments, I think will be a good idea, because we could talk hours on other risk assessments, but a HIPAA risk assessment, specifically, it's an analysis. All the potential risks and vulnerabilities, to what we refer to in HIPAA as CIA, it's Confidentiality, Integrity, and Availability of PHI. That CIA, it's kind of the triangle when it comes to security and privacy. You want to keep that information confidential, you want the integrity of in, meaning the accuracy of it, to be there. The balancing side means that it has to be available. You could keep your PHI super safe by locking it away and locking away the key, but Dr.'s can't use it, patients can't use it.

Jeremy: What are you going to do with it?

CJ: Yeah, it's not available. Risk assessments are looking at all the different angles of where there are risks and vulnerabilities to exposing that PHI during the course of business. That's really what a HIPAA risk assessment is. We talk about two different kinds, we talk about security risk analysis, and I should also say, some people refer to it as an assessment, some people say analysis, you'll probably use both.

Jeremy: Are there differences between the two?

CJ: I don't really think so. I think in the regs they actually say "risk analysis." In compliance we do system-wide, or enterprise-wide risk assessments, which are more than just HIPAA, and sometimes as compliance folks we interchange those words, so you'll probably just hear it different ways. For our purposes, I'll try to stick to risk analysis. We shorten them, we say an SRA and a PRA. An SRA is a HIPAA security risk analysis, and a lot of our listeners know that the security rule is one of those rules under the HIPAA law that deals with ePHI, which is electronic PHI. The privacy rule, which is the other kind of assessment that we talk about is a PRA, or Privacy Risk Analysis, it deals with the HIPAA privacy rule and that is all PHI that is not electronic. So written, verbal, two nurses talking in a cafeteria about a patient when they shouldn't be, using the patient name or diagnosis or whatever. That is also PHI, and it is verbal. That's really what a risk analysis is, and we should do them, I think, which is the other part of your question, because it's required. Number one. It's a requirement, we're in compliance, a lot of us default is it a requirement? It is a requirement under the security rule to perform a risk analysis. If you're a physician's practice and you work with MACRA and MIPS, many of us know that the meaningful use of how Dr.'s use electronic health records. Meaningful use has been changed under MACRA and it's now just a part of the MIPS, but the concept is still the same. So, if you're doing MACRA and MIPS it's required that you do one every year.

Jeremy: Okay.

CJ: Number one reason we do them is it's a requirement. Number two, though, it's good practice, right? We're in the business of helping patients, we want to keep that information private and confidential. So, it's a good business practice and healthcare. The third reason I was thinking about is that enforcement is up. We try not to use the scare tactic, but it's a reality.

Jeremy: It can be costly.

CJ: It can be costly, exactly. There can be settlements, enforcement is up by OCR. One thing that I find interesting is that they often site, one of the main failures when you're dealing with a breach or investigation, is that the entity failed to do a thorough risk analysis. That is one of things that drives the settlement, because they know they are supposed to do one.

Jeremy: Right, and ignorance is not an excuse anymore.

CJ: Yeah, exactly. HIPAA, for those of us that have been around of a long time, I've been in compliance for over 20 years. HIPAA was past in 1996, but there has not been real heavy enforcement until the last 6 to 7 years. That whole realm of enforcement is kind of newer on the HIPAA front, but it is definitely there now, and that is another reason to do one.

Jeremy: Yeah, makes a lot of sense. Another question that pops up when we talk about the HIPAA risk assessments is about covered entities and business associates.

CJ: Yeah.

Jeremy: How are covered entities and business associates doing HIPAA risk assessments?

CJ: That's a great question. I try to break it down into buckets. The two biggest buckets are internally and externally. There is no rule on who does the HIPAA risk analysis. You can do it internally. We have a lot of clients that do it internally; they use our tool to do it, and they like the flow of the tool and organizational aspects of the tool. So, you can do it internally. I usually see clients that are doing it internally, they have some sort of expertise already in house. Usually the larger entities, or those entities that have a full-time privacy officer and a full-time security officer, typically will do it internally, and that's fine, there is nothing wrong with that. We get contacted a lot, too, because people don't have that expertise in-house, and they want somebody external to help them through it. The other way to do it is an external risk assessment, where you hire somebody to come in. The entity still has a lot of work to do, because the external consultant, like myself, I don't know all the in's and out's of your organization. I'm asking a lot of questions, doing a lot of survey's, asking for documents, that sort of thing. Also, even if you have internal expertise, it's advised every 3 to 5 years, is basically what I've been seeing, even if you're a larger organization, you have a whole team of HIPAA experts internally, it's nice to get an external set of eyes to look at something. After you've done 3 or 4 risk assessments, or analyses in a row, internally, you might be missing something.

Jeremy: External eyes are always good to get you out of; the mud you don't even know you're stuck sometimes.

CJ: We even have some clients that will come to us, they are large, they have internal expertise, but they just want that external set of eyes. That's kind of just the two big buckets, from a process perspective I see a lot of organizations using paper and pencil, which is fine. A lot using email, a lot are using spread sheets and that sort of thing, and that's, you can usually use that if it's kind of a smaller organization, not too unwieldy. But what we offer and what I've seen work as well is a software program that is designed specifically for risk analysis, that it was designed for that purpose, and it's specifically for HIPAA. Assigning out questions and getting people to upload documents, or upload training, or upload their own assessments is an important part. Our listeners need to think about how complex is our organization, can we do it through email and excel spreadsheets, or do we need some guidance there? That is coming from a process perspective, there are two ways to do that.

Jeremy: Gotcha, that makes a lot of sense. As you see people doing these, through email, or software program, if it's a covered entity, or a business associate, or any other type of organization. What are some of the biggest mistakes you see people and organizations making when it comes to HIPAA risk assessments?

CJ: I think the first one is they don't do them. It needs to be said, I recently did a presentation on this topic a little bit more formal. I was looking up some recent settlements and the director of OCR on one of the settlements said, this was a specific entity that had some breaches, the number of breaches involving a variety of locations and vulnerabilities highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. He was saying, no matter what you're doing, you might have all these technical doodads and gadgets, and all this exciting stuff. He says there is no substitute for an enterprise risk analysis, and people are not doing them. Or they think they are doing one and it's not complete, and they are like, "We'll just kind of check a few boxes and think that it's done." OCR has sighted a couple of entities because the risk analysis that they did do was not a full enterprise-wide risk analysis. To your question, about mistakes I see people making, when it comes to security, which is the ePHI, a lot of organizations equate HIPAA security with technical safeguards, firewalls, encryption, and those are all important things, and they definitely fall into that realm of technical safeguards, but they think that that is the only aspect of a risk analysis that they need to look at. The security rule clearly outlines administrative safeguards, things like policies, procedures, are you doing training for employees, kind of the administrative side of a HIPAA compliance program. There are administrative safeguards in the security rule, then there are physical safeguards. I think some people on the security side forget that two thirds of this risk analysis are non-technical. There is definitely a technical piece, I'm not trying to downplay that; it is a huge part of HIPAA's security, and needs to be done. In addition to that technical piece there needs to be an administrative and physical. Those are some mistakes that I see. Another mistake is, and the analogy I often use with people, if you've ever closed on a home, like you've purchased a home, that before you close on that home, you get a home inspection.

Jeremy: Right.

CJ: The home inspector comes in on a certain day, it's a snapshot in time. Here she is not saying 12 years ago your roof needed repairs. Here she is saying for this snapshot of time that I'm here on site, I'm going to look at the plumbing, electricity, foundation, roof all that stuff. Then what do they do? After they do that snapshot in time inspection, they give you a report, and that report usually says the roof looks pretty good, but you'll probably need to replace it in 2 years, foundation is good, there is a crack in the southwest wall, it's fine for now, but you need to keep your eye on it, and you might need to re-pour the concrete in 5 years. They go through with their expertise with what they found with a snapshot in time, which I'm equating to the risk analysis. Looking for all the risks and vulnerabilities, but just because you've done that, doesn't mean you're done. You then get a report of what you found, and what you need to mitigate over the years. That's called a mitigation plan, and OCR has sighted some entities as well for not, they've done the risk analysis, but they don't have a written mitigation plan. It means you spent all this time and money finding your vulnerabilities, no organization is perfect, so you're going to have some. Write those down and then prioritize, maybe priority one for your organization is you don't have a named security officer. You write in your mitigation plan; "We're going to have a named security officer by the end of Q1." You then write your goals for Q2, maybe Q2 is you're going to formalize your training and make sure all employees are trained and have an hour of HIPAA security training a year. Or, "We're going to have monthly reminder emails, or phishing tests, or those type of things." That mitigation plan, that written mitigation plan is a key part of doing a risk analysis. Your risk analysis isn't complete until you have one.

Jeremy: Okay.

CJ: I see a lot of clients that do the first half, but then they failed to document the mitigation plan with dates and priorities of when they are going to do what over the upcoming year.

Jeremy: If someone were to do both of those, document but then not follow through is that also a crime?

CJ: Yeah, exactly, it's a problem, right? OCR has found there have been some scenarios, say, "Look, the entity did a risk analysis, they found the issue, and then they left it there."

Jeremy: Yeah.

CJ: Let's say you are aware that a certain server doesn't have a fire wall, or a certain this or that, so they identify that vulnerability, but then they did nothing.

Jeremy: Yeah.

CJ: Common sense says if you look under the rug and you find a pile of dirt you sweep it up.

Jeremy: Clean it up!

CJ: You don't put the rug back down. Just like you said, Jeremy, you can't just find things and then do nothing about them. That's an important part. Now, OCR, I think, is reasonable in saying if you find a million things, you can't do all of those things over night.

Jeremy: Sure.

CJ: They are interested, I believe, in finding a mitigation plan that spells things out over time and lets an entity, or business associate, prioritize what is most important and then work down that list.

Jeremy: Interesting. It sounds to me that that makes sense why an annual HIPAA risk assessment is really important.

CJ: Yeah.

Jeremy: Because you would need to know what we did well from our last mitigating actions.

CJ: Right. Anyone that is in kind of IT security, again I'm kind of focusing on the security rule, knows that there are new threats developing on a regular basis. That antivirus software that you had last year, is already out of date. Part of this annual process is making sure what have we done with the newest information. That's a really important part of that.

Jeremy: Awesome. I think we're coming to the close here CJ, this has been a lot of fun turning the tables.

CJ: Yeah, for me too! As you can tell I can talk for hours.

Jeremy: I don't mind it; I could listen to you for hours. Thank you, guests, our audience members for our time here on Compliance Conversations, again my name is Jeremy Schow, it's been awesome spending the afternoon with you. Thank you CJ.

CJ: Thanks for having me.