A recent article on HealthITSecurity.com reviewed the HHS’ Office for Civil Rights (OCR) recent announcement of the new OCR director and what it means for the world of HIPAA.
The article will give you an overview of who is now leading enforcement of HIPAA regulations relating to data security, privacy, and data security incidents. The expectation, based on the new Director’s background, is that OCR will enhance its focus on data breach management and guidance, which includes additional guidance on risk assessment, analysis, and managing your HIPAA compliance program with an emphasis on enforcement.
What does this mean and how can you protect your organization?
In this article, we’ll go into what Loricca has been recommending to our customers for over a decade and how to manage your HIPAA Compliance Program to face the new direction from OCR.
Data breach management begins with a risk assessment, as this is the first step in protecting patient information handled by your organization from a breach and a potential OCR audit. Under the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii), you are required to
- Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.
- Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.
Risk analysis should be an ongoing process to regularly review records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly re-evaluate potential risks to ePHI.
No Cost Sources
There are two no-cost sources that provide guidance on how to meet this requirement. The NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule. NIST also provides a NIST HIPAA Security Rule Toolkit, which will guide you through the process. Both provide a great deal of guidance, but they aren’t easy to use for someone without a background in HIPAA compliance, IT Security or auditing practices.
Another great source to use is the NIST Cybersecurity Framework (NIST CSF). HHS has mapped NIST CSF to HIPAA, but again this can be very technical and while it certainly meets the requirements, the end result will only be as good as the team performing it.
Third Party Assessors
We are often asked if you are required to engage a Third Party assessor to perform the risk assessment. The short answer is no, but before making the decision, we recommend you consider several factors.
- Does your team have the necessary experience?
The purpose of doing a risk assessment is not to get a clean report or to check a box. The purpose is to identify where your organization’s risks are and evaluate if they are adequately protected. Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through the services of an experienced outside professional.
- Do you have leadership support?
Recommendations from an experienced professional can provide added leverage to obtain leadership support for the security budget.
It is recommended that a risk assessment be conducted annually, in addition to identifying and managing risks on an ongoing basis. Not only will this provide the best protection against a ‘failure to maintain’ determination but it’s the best way to detect changes in the environment. The cost of doing annual risk assessments is easily a great cost-saving over a security incident or non-compliant business changes.
Another approach is we can conduct an initial assessment and set your organization up to do self-assessments.
How to Manage Risk
Step 1: Identify, analyze and evaluate the risk.
Evaluate the likelihood and impact of potential risks to ePHI. The benefit of identifying possible risks is that all stakeholders have access to the information and can implement a mitigation process if necessary.
The scope of the risks identified must be analyzed. This includes determining the probability the risk will happen and the consequences. The goal of risk analysis is to understand how each risk could impact business functions and the business as a whole.
If not already done, risks need to be ranked. A risk that will only cause minor inconvenience should be ranked with lower importance, while risks that will cause major losses should be ranked highly. The company should then make decisions based on whether the risk is worth having. If a risk can’t be eliminated, such as any market or environmental risk, it should be monitored. This can be done by occasionally following up on the risk and the plan put in place for it.
Step 2: Mitigate the risk
After evaluating the risk, a company should develop a plan to mitigate the highest-ranked risks. This can be done by connecting with the risk to the appropriate department within the company. Plans for risk mitigation can include risk mitigation processes, risk prevention tactics, and contingency plans.
Implement appropriate security measures to address the risks identified in the risk analysis;
Step 3: Creating an Action Plan
Once you have completed these steps, create an action plan to implement appropriate security measures to safeguard the confidentiality, integrity and availability of ePHI and make your practice better at protecting patients’ health information.
Document the security measures and, where required, the rationale for adopting those measures, the individual responsible for implementing the required changes, and a target date identifying when it is expected the required changes will be implemented.
Step 4: Monitor and review the risk
Maintain continuous, reasonable, and appropriate security protections.
If a risk can’t be eliminated, such as any market or environmental risk, it should be monitored. This can be done by occasionally following up on the risk and the plan put in place for it. The overall risk management process should also be monitored and updated as necessary.
Identification and management of risks is the key to not only protecting the sensitive data your organization has but also being prepared for any kind of breach enforcement activity. Throughout this process the importance of documentation cannot be overstated. Documentation of the risks and mitigation activities is critical not only to timely resolution but to protect the organization in the event evidence needs to be provided for due diligence. Following these guidelines will not only reduce the risk of a data breach but will reduce the cost and severity of any issue which does occur. Don’t forget to include your suppliers in this process as heightened scrutiny of vendor due diligence is also expected.
McKeon, J. (2021, October 11). With a new leader, OCR to focus on risk analysis, HIPAA enforcement. HealthITSecurity. Retrieved from https://healthitsecurity.com/news/with-a-new-leader-ocr-to-focus-on-risk-analysis-hipaa-enforcement.
CMS. (n.d.). Security risk analysis tip sheet: Protect Patient Health Information. Retrieved from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf.