During the past few years, there has been a significant increase in the number of data breaches reported, including those related to hacking and criminal behavior by employees – even at organizations thought of as having world class information security. In addition, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is re-invigorating their Health Insurance Portability and Accountability Act (HIPAA) compliance auditing and will include business associates of covered entities. HHS requires all healthcare entities, from small provider groups to large health systems to continuously assess risks and vulnerabilities to their data and develop a plan for reducing the risk of a data breach. The laws require all covered entities and their business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI it holds (45 C.F.R. 164.308(a)(1)(ii)(A); to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, pursuant to 45 C.F.R. 164.308(a)(1)(ii)(B); and to implement security measures to guard against unauthorized access to ePHI transmitted over an electronic network ( 45 C.F.R. 164.312(e).HIPAA risk assessments are a cornerstone of an effective HIPAA security program in properly securing electronic Protected Health Information (ePHI). The risk assessment helps to identify what risks and vulnerabilities exist in the environment and manage those risks and vulnerabilities effectively. Some of the most common pitfalls that can derail a HIPAA risk assessment include:
1. Relying too heavily on Sarbanes-Oxley (SOX) controls, Service Organization Controls (SOC) 1 reports, and/or financial statement audits.
While there will be some opportunities to leverage previously conducted risk assessments or audits to identify controls throughout an environment, SOX controls, SOC 1 reports, and financial statement audits are performed to assess and mitigate risks related to financial statements, not ePHI. When performing an effective HIPAA risk assessment, management should step back from existing assessments and make sure that they are appropriately focused on controls that secure ePHI. This typically means starting with a blank slate, then populating controls as needed once all of the ePHI has been properly identified. This point leads to pitfall number 2 …
2. Not identifying all of the ePHI within the organization.
Many times risk assessments only focus on where ePHI is “supposed to be” not “where it could be”. It is important to not just look at where ePHI should be, but also consider the other places ePHI could be. Many organizations incorrectly assume the risk assessments they performed as part of their Electronic Health Records (EHR) implementations will cover all ePHI. Those risk assessments and systems generally were narrowly focused on the EHR systems and often didn’t take into account an organization wide view of where ePHI may reside. A HIPAA risk assessment needs to look beyond just the EHR to be effective. Thumb drives, local hard drives, email, mobile devices, and fax and copiers are often overlooked as places that ePHI could intentionally or unintentionally reside and be at risk.
3. Not addressing “low hanging fruit”.
It’s inevitable that the risk assessment will identify areas of improvement throughout the organization. It’s common that the management team will want to rally the group around addressing the biggest problems first. However, there are many instances where huge progress can be had by taking care of some of the simpler issues. Some of the easier steps that tend to be overlooked include: identifying a HIPAA Security Officer, HIPAA Awareness Training, and vendor/contractor management policies. These changes tend to have a pervasive effect throughout the organization, and will often help with progress in other areas.
4. Not being objective during reviews of processes and controls.
As hard as it sounds, the risk assessment should be seen as an opportunity to look at the organization and objectively identify areas for improvement. Often times, this means management will be looking at processes they’ve designed and have worked with for years. It’s important to use the risk assessment to identify gaps and strengthen controls, not try to just “justify” that the existing controls are “good enough” or “aren’t going to change”. The risk assessment is also an excellent opportunity to gain executive buy-in so the management team understands they are supported in efforts to improve controls.
5. Not following through on remediation plans.
It takes a lot of effort to properly conduct a HIPAA risk assessment and plan to remediate the gaps identified. Continuously following through on the remediation plans can also be difficult but is necessary to make sure all gaps are closed. Organizations often “lose steam” after the risk assessment and efforts may get diverted to other projects. It is important to setup periodic status meetings to ensure remediation efforts are continued.
The average cost of a healthcare data breach in the United States in 2014 was $6.5 million according to a recent report by The Ponemon Institute. In addition, criminal hackers more than doubled their attacks on healthcare companies over the past five years. Proactively addressing risk assessments and data security before a breach occurs is more important today than ever especially when you look at the costs associated with a breach investigation, breach notifications, government investigations, government fines, continued government monitoring pursuant to an HHS imposed corrective action plan, and defending lawsuits related to the breach. Documenting a program of continued risk assessment for compliance with the HIPAA security and privacy rules will help your organization reduce the risk of a breach, the fines under HIPAA, and the costs associated with a breach.
For more information on this topic, or to learn how Baker Tilly healthcare specialists can help, contact our team.