The HIPAA Security Rule specifically focuses on the safeguarding of ePHI and requires all HIPAA covered entities (CEs) and business associates (BAs) to ensure the confidentiality, integrity, and availability of the ePHI data that it creates, receives, maintains, or transmits to: Show
Among HIPAA’s Administrative Safeguards are two (2) implementation specifications under the Security Management Process standard at §164.308(a) (1) (i). Security Risk Analysis – The required implementation specification at § 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Security Risk Management – The required implementation specification at § 164.308(a) (1) (ii) (B), for Risk Management, requires a covered entity to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). The risk assessment report provides evidence that these implementation specifications have been addressed. These requirements exist in HITRUST as well. Contact us if you want to know more about HITRUST risk management and assessment. Performing a risk assessment/analysis is not a one-time event. It should be reviewed periodically when major changes occurred or at least annually. What are the steps in risk assessment?The risk assessment should follow established, repeatable assessment methodologies like the National Institute for Standards and Technology (NIST) processes or the ISO 31000. These processes are predicated on thorough understandings of:
While all risk assessments are inherently subjective, this assessment will contain a series of value metrics that will help you remove much of the uncertainty and imprecision of qualitative assessments. These values will be defined by senior management and other key stakeholders to assure they are appropriately defined, scoped, and valid to the organization’s business processes. Since this risk assessment is a snapshot of the organization’s risk posture, risks should be continually refined and updated to reflect changes to controls, technology, threats, and overall business. Risk treatment decisions should be thoroughly discussed and documented. Control decisions should be established in a comprehensive framework of objectives that tie directly into organizational policies and implementation standards. Findings and output from security assessments and audits should be mapped into control and asset vulnerability, to provide an even clearer depiction of organizational risk. Most importantly, organizational management should regularly update and review this document to assure risks are current and reflect a solid understanding of the organization’s current risk posture. Final Thoughts…Per HIPAA Security Rule, a risk analysis is required to be performed to identify risks to ePHI. It is a required first step towards HIPAA compliance. Not doing one is a regulatory risk and can invite huge fines if there is a data breach. We have deep expertise in helping organizations like you to stand up a risk management program. We bring a deep understanding of the risks facing healthcare companies today. We have successfully performed Risk Analysis for many clients, both covered entities and business associates over the past years. We are a small firm and do not have overhead expenses like other big cybersecurity companies, and as a result, we’re able to pass on the savings to you. Contact us today! The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is not a new provision of the Health Insurance Portability and Accountability Act. The requirement was first introduced in 2003 in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process), and subsequently extended in the
HITECH Act 2009 to cover the procedures following a breach of unsecured PHI to determine if there is a significant risk of harm to an individual due to the impermissible use or disclosure. The severity of fines for non-compliance with HIPAA has historically depended on the number of patients
affected by a breach of protected health information (PHI) and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing that Covered Entities and Business Associates have a legal obligation to protect PHI. More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to
safeguard patients´ personal information. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist. However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges. It’s Not Just Large Medical Organizations in the Firing LineAlthough the majority of headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also investigated by the Office for Civil Rights (OCR) or subject to HIPAA audits. Since 2009, OCR has received reports of 273,000 HIPAA violations. Less than 1% of these relate to data breaches involving 500 patients’ records or more. A significant problem for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to investigate the breach, the cost of repairing public confidence in the medical practice, and the cost of providing credit monitoring services for patients. Insurers may also limit their coverage according to the nature of the HIPAA violation and the level of negligence. Without insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice. However this scenario can be avoided by conducting a HIPAA risk assessment and implementing measures to fix any uncovered security flaws. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their Business Associates. It´s Not Just Medical Organizations in the Firing LineEvery Covered Entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business Associates, subcontractors, and vendors must also conduct a HIPAA risk assessment if they or their systems have contact with ePHI. Similarly to Covered Entities, fines for non-compliance can be issued by OCR against Business Associates for potential breaches of PHI. OCR treats these risks seriously. In December 2014, the department revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records were attributable to the negligence of Business Associates. In June 2016, it issued its first fine against a Business Associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 patient records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013. What a HIPAA Risk Assessment Should Consist OfThe US Department of Health & Human Services (HHS) acknowledges that there is no specific risk analysis methodology. This is due to Covered Entities and Business Associates varying significantly in size, complexity and capabilities. However, HHS does provide an objective of a HIPAA risk assessment – to identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains, or transmits. In order to achieve these objectives, the HHS suggests an organization’s HIPAA risk analysis should:
A HIPAA risk assessment is not a one-time exercise. Assessments should be reviewed periodically and as new work practices are implemented or new technology is introduced. HHS does not provide guidance on the frequency of reviews other than to suggest they may be conducted annually depending on an organization´s circumstances. HIPAA Privacy Risk AssessmentDue to the requirement to conduct risk assessments being introduced in the HIPAA Security Rule, many Covered Entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment, but can be a much larger undertaking depending on the size of the organization and the nature of its business. In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur. The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as suggested by the HHS (above) as new work practices are implemented or new technology is introduced. As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees´ functions. Although Covered Entities and Business Associates often comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy. Developing a Risk Management Plan and Implementing New ProceduresA HIPAA risk assessment should reveal any areas of an organization´s security that need attention. Organizations then need to compile a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI. The risk levels assigned to each vulnerability will give an organization direction on the priority that each vulnerability needs to be given. The organization can then create a remediation plan to tackle the most critical vulnerabilities first. The remediation plan should be complemented with new procedures and policies where necessary, and appropriate workforce training and awareness programs. It has been noted by OCR that the most frequent reason why Covered Entities and Business Associates fail HIPAA audits is because of a lack of procedures and policies – or inadequate policies and procedures. It is important that the appropriate procedures and policies are implemented in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment. Tools to Assist with a HIPAA Risk AssessmentConducting a HIPAA risk assessment on every aspect of an organization´s operations – not matter what its size – can be complex. This is particularly true for small medical practices with limited resources and no previous experience of complying with HIPAA regulations. Consequently, in 2014, OCR released a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment. The SRA tool is very helpful in helping organizations identify some locations where weaknesses and vulnerabilities may exist – but not all. In the User Guide accompanying the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. Furthermore, although the tool consists of 156 questions relating to the confidentiality, availability and integrity of all PHI, there are no suggestions on how assign risk levels or what policies and procedures to introduce. Much the same applies to other third-party tools that can be found on the Internet. They may also help organizations identify some weaknesses and vulnerabilities, but not provide a fully-compliant HIPAA risk assessment. Indeed, many third-party vendors publish disclaimers in the small print of their terms and conditions similar to that at the beginning of the SRA tool User Guide. The conclusion is that tools to assist with a HIPAA risk assessment can be helpful for identifying issues, but are not suitable for providing solutions. HIPAA Risk Assessment FAQWhere are risks most commonly identified?HHS does not release details of the most commonly identified risks as these can vary in relevance. For example, a small medical practice may be at greater risk of unauthorized disclosure through personal interactions between staff, while a large healthcare group may be at greater risk due to the misconfiguration of cloud servers. What is a “reasonably anticipated threat”?Reasonably anticipated threats are any threats to HIPAA compliance that are foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats. What is the difference between a risk assessment and a risk analysis?A risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be most damaging can be addressed as priorities. Most HIPAA risk analyses are conducted using a qualitative risk matrix. Who is responsible for conducting a HIPAA security risk assessment?HIPAA security risk assessments are either conducted by a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified. Are there different types of risk assessment for Covered Entities and Business Associates?Covered Entities and Business Associates both need to conduct “A-to-Z” risk assessments for any Protected Health Information created, used, or stored. While Business Associates may experience a lower volume of PHI than a Covered Entity, the risk assessment has to be just as thorough and just as well documented. What are the main requirements of the security Rule?The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Is a security risk analysis required by HIPAA?Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.
Is security a risk analysis?A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker's perspective.
What are the requirements of the HIPAA security Rule?The HIPAA Security Rule requires physicians to protect patients' electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.
|
A risk analysis is not a requirement of the security rule
Copyright © 2024 muatrau Inc.
