Has your organization completed a current Risk Assessment? Do you have a Risk Management Work Plan in your office?
by Jodie Cannon, BS, OSHA/HIPAA Consultant
All ePHI that is created, received, maintained, or transmitted by an organization is subject to the HIPAA Security Rule. What is the HIPAA Security Rule exactly? “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” https://www.hhs.gov/hipaa/for-professionals/security/index.html
The Security Rule sets the standards:
- Who should have access to Electronic Patient Health Information (ePHI)?
- Only those who should have access to ePHI will actually have access.
- The Security Rule covers only PHI that is in electronic form and how it is transmitted. Examples are email, computer, outdated ‘tapes’, old backups, etc.
- The Security Rule does not cover PHI that is transmitted or stored on paper or provided
One of the main purposes of the HIPAA Security Rule is to make sure that an organization is taking appropriate measures to minimize the risk of a breach of ePHI by applying the appropriate administrative, physical, and technical safeguards set forth by HHS/OCR (Health & Human Services/Office of Civil Rights). Organizations must maintain the confidentiality, integrity, and security of ePHI by applying the appropriate security safeguards that are set forth within the Security Rule. How do we accomplish this? An organization must perform a Risk Analysis (Risk Assessment) and implement security measures through Risk Management (Work Plan) to remediate the security deficiencies that were identified. Modern Practice Solutions refers to this as a Risk Assessment and a Risk Assessment Work Plan. HHS/OCR places great emphasis on both the Risk Assessment and subsequent Risk Management as this is the best indication that an organization has an active HIPAA compliance program in place.
The HHS/OCR has imposed fines and penalties on organizations for lack of a Risk Analysis and Risk Management. Many breaches may have been prevented by conducting a thorough Risk Assessment and applying the appropriate safeguard measures. In fact, if an analysis were to be performed on the fines and penalties that have been imposed by HHS/OCR, one would find, almost universally, that these two required HIPAA compliance elements were not in place within the sanctioned organization.
What exactly is a Risk Analysis or Risk Assessment?
A HIPAA Risk Assessment is the process of identifying potential security risks by assessing where your ePHI is located and how secure the ePHI is within your organization. After assessing and identifying the potential risks, you can determine the likelihood or the probability of the risk occurring and the magnitude of those risks. Some sample questions to consider may be:
- How does ePHI flow throughout the organization?
- Who has access to the ePHI both internally and externally? Remember, the Security Rule sets the standard that only those who should have access to ePHI will actually have access.
- What is your backup method for your systems containing ePHI such as servers, software programs, etc.? Who has access to those systems? How secure are those systems?
- How does your organization send ePHI via email? Are we sending the email in a secure means of end to end encryption? If not, do we have written prior authorization from the patient to send in an unsecure manner?
Remember, the current top 5 Cybersecurity threats to the healthcare industry are:
- Phishing emails
- Loss or theft of data or equipment such as media devices and mobile devices
- Internal (accidental or intentional data loss)
- Attacks against connected media devices (any medical devices connected to the Internet)
What exactly is a Work Plan?
At Modern Practice Solutions, we use the term “Work Plan” to refer to a tool that helps you manage the Risk Management process of correcting the security deficiencies or findings that are identified in the Risk Assessment. Each security deficiency represents an area of high risk of causing a breach. Different organizations use different terms for the Work Plan, but regardless of what you call it, every organization needs a systematic way to manage the risk and remediate the security deficiencies or findings that were identified in the Risk Assessment (RA). The Risk Assessment Work Plan lists the risks identified by the RA and allows you to make notes. It also provides blank fields for you to track your plan and progress, including Completion (yes/no/NA), Estimated Completion Date, Actual Completion Date and any notes you wish to enter. It is up to each organization to determine how they will manage and implement the Work Plan. This is part of the required Risk Management process of the Security standard. Risk Management requires an organization to make decisions on how to address the security risks and vulnerabilities identified during the Risk Assessment. The organization should implement security measures to reduce risks to a reasonable and appropriate level based on the circumstances within your organization.
Remember, if the security safeguard is required, the organization must implement the safeguard. If the security safeguard is addressable, the organization must assess to determine if the safeguard is reasonable and appropriate for your environment and the likely contribution to the protection of the ePHI. If it is a reasonable safeguard, you must implement. If the addressable safeguard is not reasonable, you must document why not and the alternative method that is reasonable and appropriate.
What is the time frame in which security deficiencies must be remediated?
This is one of the gray areas of HIPAA. There is no required time frame. The HIPAA regulation allows every entity to implement Risk Management as the organization deems appropriate. That means you get to decide the pace at which your organization proceeds with implementing security deficiency recommendations. This is beneficial for each organization in that you can proceed at a pace you deem desirable. The downside is that whatever you decide would be reviewable in the event of an investigation by HHS/OCR. If the auditor finds that you are not implementing Risk Management at a reasonable pace, that could be a problem. Pro Tip: Show progress on your Work Plan to demonstrate that you are actively working on improving HIPAA compliance. DO NOT just review the Work Plan and not follow through. Having a completed HIPAA Risk Assessment and not managing the risk could pose fines and penalties in the event of a breach.
For additional information and guidance on risk analysis requirements under the HIPAA Security Rule,
What if I do not have a current HIPAA Risk Assessment or Risk Management Plan?
We at Modern Practice Solutions will be happy to assist. Please contact our office at 931-232-7738.
What if I have questions about the Work Plan? Easy. Just contact us. We will be happy to help you out. Send an email to firstname.lastname@example.org or contact our office at 931-232-7738.
We also offer an intensive, 6-hour Advanced HIPAA Course for CE that discusses the Privacy & Security Safeguards in depth. If you would like more detailed information on our upcoming classes, please contact Heather Miller at email@example.com.