A risk analysis is fundamental to any HIPAA compliance program, but conducting one effectively can be a challenge. Too often, the risk analysis is a perfunctory task that lets you check off a requirement, when it should be a valuable tool that drives the rest of your compliance efforts.
The Office for Civil Rights (OCR) studies the HIPAA risk analysis closely when investigating potential HIPAA violations, says Kathleen D. Kenney, JD, with the Polsinelli law firm in Chicago. She previously worked for the OCR, where she was the subject matter expert for breach notification, assisted in the administrative rulemaking process, drafted preamble language for the Omnibus Rule amending HIPAA, and actively participated on OCR’s audit team. The risk analysis requirement is defined in Section 164.308(a)(1)(ii)(A) of the HIPAA standards.
“We’re seeing risk analysis come up again and again in enforcement cases,” Kenney says. “The big challenge for covered entities is identifying the scope of your responsibility, exactly where all your PHI [protected health information] is. It sounds like that shouldn’t be so difficult, but a lot of entities struggle with it, especially when they are trying to do the analysis in the aftermath of a breach.”
The task can be challenging, because of all the many ways PHI can be stored and transmitted, Kenney says. She points to the example in which a covered entity violated HIPAA by failing to delete PHI from a photocopier before selling it. No one had realized that photocopiers can store data, so that risk wasn’t included in the analysis, and, therefore, no safeguard was established.
The rapid adoption of new technology worsens the problem, Kenney says. Physicians and employees constantly are finding new devices, services, and apps that make their work more efficient, so they want to use them with PHI. The key for compliance is that you must know about the new technology and approve its use beforehand, Kenney says.
“You want to think about the risks to the data and how you are going to protect it before you allow the use of the device,” she says. “Your risk analysis should help you assess the new technology and impose the appropriate limits and safeguards. OCR wants you working on the front end of this, not reacting when you find out Dr. Smith has been using a new device for six months.”
Emphasizing the Scope
Providers often underestimate how broad the analysis should be, says Leah A. Voigt, JD, MPH, chief privacy and research integrity officer for Spectrum Health, a not-for-profit managed care healthcare organization based in Grand Rapids, MI.
“It’s become clear from the Office for Civil Rights in the past couple of years that what they’re looking for is far more detailed and far more comprehensive than the industry initially anticipated,” Voigt says.
Voigt notes that OCR cited the failure to complete a comprehensive risk analysis as a key problem leading to the recent $2.7 million settlement with Oregon Health & Science University (OHSU) in Portland.
“What sticks out to me as a privacy officer for a healthcare organization is that the OCR has emphasized that the risk assessment must cover all electronic PHI created or maintained by a covered entity or business associate,” Voigt says. “It’s that three letter word, ‘all,’ that I think is really important.”
That expectation goes far beyond the electronic medical record, Voigt says. She advises visiting facilities to see how PHI is used in various settings and what must be included in the analysis.
“If you walk around and talk to people, you’ll see that you didn’t realize someone had PHI in a folder in a part of the system you didn’t include,” Voigt says. “This analysis is not something you can do just sitting at your desk.”
Evaluate Risk and Severity
Once you have data mapped the relevant risk universe, the next step is to evaluate each risk factor and determine the likelihood and impact of these events occurring, says Eric Dieterich, a partner with the data privacy practice of Sunera, a cyber risk management company in Sunrise, FL.
The final phase of the risk analysis activities includes an evaluation of your current safeguards to determine the effectiveness of these activities in reducing your inherent risk rankings.
“This evaluation of safeguards is one area that organizations often fall short, increasing the risk of non-compliance with the relevant HIPAA safeguards,” Dieterich says. “The HIPAA standards often require specific language to be present in internal policies and procedures, they have defined operational practices, and there is the implementation of technical safeguards, all of which can be easily overlooked.”
To evaluate the effectiveness of these safeguards and identify areas of non-compliance, Dieterich says organizations should perform detailed discovery and an in-depth analysis of existing documentation, review operational practices, and evaluate relevant technologies.
“This deeper dive into the effectiveness of an organization’s safeguards provides the foundation for the assigned risk mitigation of your risk analysis program, leading to a stronger compliance program and one that can stand the test of the increasing regulatory scrutiny,” he says.
Give Yourself Credit
Kenney notes, however, that covered entities often do not give themselves enough credit for the safeguards they do have in place. Even if the safeguard is not ideal, perhaps because you cannot afford the best solution, you should document clearly how you are addressing the risk, she says. Otherwise, OCR could come away with a worse impression of your compliance than is warranted.
“If you can’t afford encryption, note that the smartphones are password-protected and you have the ability to wipe them remotely — things like that,” she says. “You want to give yourself credit where credit is due, even if there are still shortcomings from what you would do ideally.”
A related problem with risk analyses is that covered entities don’t act sufficiently on the information they gather, Kenney says. When risks and safeguards are identified as addressable, they must be addressed.
“OCR has said over and over in public engagements that addressable does not mean optional, but we still see entities that don’t understand that,” Kenney says. “You need to go through the risk analysis and determine whether the potential impact from this addressable risk is high, and, if so, what you are doing to address it. You may have to address it over a longer scope of time than you’d prefer, but you must identify the mitigation steps.”
Don’t Promise Too Much
Kenney also cautions against overpromising. When you identify a risk and a solution, such as encrypting phones, be careful about saying when that will be completed. If you say you’re going to have the phones encrypted in six months, you may have a breach eight months later, and OCR’s investigation will find that you didn’t follow through on your promise.
“That puts you in a worse position than if you had been more realistic about what you could do with your resources,” Kenney says.
- Eric Dieterich, Partner, Sunera, Sunrise, FL. Telephone: (786) 390-1490. Email: email@example.com.
- Kathleen D. Kenney, JD, Polsinelli, Chicago. Telephone: (312) 463-6380. Email: firstname.lastname@example.org.
- Leah A. Voigt, JD, MPH, Chief Privacy and Research Integrity Officer, Spectrum Health, Grand Rapids, MI. Telephone: (616) 391-3998. Email: Leah.email@example.com.