The costs to providers for data breaches of personal health information (“PHI”) are dramatically on the rise. In fact, some estimates show that major data breaches are averaging around $1,000 per patient.[1] So by now you are probably keenly aware that the Department of Health and Human Services Office for Civil Rights (“OCR”), the government entity in charge of administrating and enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), has been aggressively investigating and prosecuting providers for potential violations of the HIPAA. In April, for example, OCR settled with Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona (“PCS”), to the tune of $100,000.00 for potential HIPAA violations.[2]
Interestingly, among the issues uncovered by OCR’s investigation of PCS was a commonly overlooked HIPAA requirement: failure to conduct a risk analysis.[3] In the HIPAA implementing regulations, the Centers for Medicare and Medicaid (“CMS”) established a minimum standard of security of electronic PHI (“e-PHI”)[4], commonly known as the Security Rule.[5] Specifically, the Security Rule sets forth three categories of safeguards-- administrative, physical, and technical-- that must be implemented by providers to protect the e-PHI of patients. The first step for a provider in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule is conducting a risk analysis.[6] “Risk analysis” is defined under the Security Rule to be conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health information held by the covered entity.”[7]
The Security Rule does not prescribe a specific risk analysis methodology, recognizing that the methods will vary with the size, complexity, and capabilities of the provider. Instead, the Security Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.
However, the Office of the National Coordinator (“ONC”) has published a Guide to Privacy and Security of Health Information[8] in which it provides additional guidance to conducting a security risk analysis. Some of the questions ONC suggests that providers ask include:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?
Additionally, OCR outlines elements that should be included in the risk analysis that include considering the proper scope of analysis, collection of data, identifying and documenting potential threats and liabilities, assessing current security measures, determining the likelihood of threat occurrence, determining the potential impact of threat occurrence, determining the level of risk, finalizing documentation, and periodically reviewing and updating the risk assessment.[9] Furthermore, OCR offers the National Institute of Standards and Technology (“NIST”) recommendations and standards in NIST Special Publication 800-30[10] as a good blueprint for steps to be applied in a risk analysis.
It is important to note that electronic health records vendors are not responsible for compliance with HIPAA rules; providers are! However, there are organizations that specialize in helping providers conduct a thorough and compliant risk analysis that will be necessary in reaching substantial compliance with many other standards and implementation specifications. According to ONC, providers can and should use the information gleaned from their risk analysis to design appropriate personnel screening processes, identify what data to backup and how, decide whether and how to use encryption, address what data must be authenticated in particular situations to protect data integrity, and determine the appropriate manner of protecting health information transmissions.
Conducting is a risk assessment is the first step of an ongoing HIPAA compliance plan. To comply with HIPAA, providers must continue to review, correct or modify, and update security protections of PHI. Therefore, to avoid the costly mistakes of other providers like PCS, a HIPAA risk assessment should be in your organization’s plans to assure that it is adequately protecting its patients’ PHI.
[1] http://www.faronics.com/2012/hipaa-hitech-data-breach-costs-hit-1000-per-patient/.
[2] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf.
[3] Id.
[4] This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations.
[5] 45 C.F.R. Part 160 and Subparts A and C of Part 164.
[6] 45 C.F.R. § 164.308(a)(1)(ii)(A).
[7] Id.
[8] http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.
[9] OCR Guidance on Risk Analysis Requirements Under The HIPAA Security Rule, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf.
[10] Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf.