You’ve likely heard of a risk analysis. Hopefully, you’ve also performed one for your organization. Whether you’ve been helping your organization work on its HIPAA compliance for years, or you’re new to the world of HIPAA, performing a risk analysis should be a high-priority item on your business’s to-do list.
Let’s start with the basics. Covered Entities and Business Associates are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In order to protect electronic protected health information (ePHI), organizations must identify and implement administrative, physical, and technical safeguards.
The foundational element of the HIPAA Security Rule is the risk analysis, required to achieve compliance.
Let’s take a look at the requirement as outlined by the Department of Health and Human Services (HHS), who is responsible for regulating HIPAA compliance.
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
So, what exactly is a risk analysis? A risk analysis, also known as a risk assessment, is used to help your organization identify any areas within your organization that could affect the confidentiality, integrity, and availability of ePHI, or in other words, any areas that put protected health information (PHI) at risk.
Some important things to note:
There is no one-size-fits-all method for addressing the risk analysis requirement.
All organizations have unique characteristics and environments. The methodology for organizations may vary depending on their “size, complexity, and capabilities”, as stated by HHS.
There is no specified time period for performing a risk analysis.
As you can see outlined in the requirement above, the Security Rule does not say “you only need to perform one risk analysis”, and likewise, it doesn’t tell us that we need to perform three per year. So, how do we know when to perform one? Risk analysis should be an ongoing process. HIPAA Secure Now! recommends conducting a risk analysis on an annual basis as well as anytime the organization introduces new technology, changes practices, or suffers a security incident.
Once your organization has conducted a risk analysis, that doesn’t mean the work is done. The outcome of the analysis will show you where there are vulnerabilities in your organization that could pose a risk to ePHI – and then it’s up to your organization to fix them. HIPAA Secure Now! recommends working with a vendor who offers a remediation plan as part of your risk analysis, so your organization knows where to focus their efforts first – on the most critical risks. HIPAA Secure Now! offers a thorough risk analysis complete with a remediation plan that will help you determine which items to check off your list first.
Myth: A risk analysis is too expensive for my organization to perform.
Truth: While some third-party services offering risk analysis will charge you more than your organization deems affordable, that doesn’t mean there aren’t affordable solutions out there. As mentioned, HIPAA Secure Now! offers a thorough risk analysis complete with a remediation plan – at a price point at will fit your budget. HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA also offers a free Security Risk Assessment Tool (SRA Tool) to help you get started. If you choose to use the SRA Tool provided by OCR, note that it does not guarantee compliance, as stated in the disclaimer.
Myth: OCR does not enforce the risk analysis requirement.
Truth: OCR actively enforces the risk analysis requirement. In fact, as of November 25, 2019, 75% of resolution agreements announced by the OCR included a violation of failure to perform an enterprise-wide risk analysis or failure to perform a comprehensive risk analysis.
Myth: OCR won’t check on my organization’s compliance because we won’t suffer a security incident.
Truth: There are actually two problems with this myth.
1) No organization is safe from suffering a security incident. The healthcare industry is among the most highly targeted by cybercriminals, and no organization is out of the woods when it comes to falling victim to cybercrime.
2) OCR investigations can be triggered for reasons other than a security incident. Employee or patient complaints alone are enough to trigger an OCR investigation.
Addressing MACRA / MIPS
While the MACRA/MIPS program is not associated with HIPAA, their paths cross in many ways, one of them being the risk analysis.
At a high-level, MACRA (the Medicare Access and CHIP Reauthorization Act of 2015) was enacted to repeal the Sustainable Growth Rate formula and aims to reward physicians for providing higher quality care over the volume of care. This is done in two ways, through the Merit-based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (AAPMs).
While we won’t go too deep into MACRA/MIPS requirements, we want to hit on the requirement to perform a Security Risk Analysis (SRA).
Here’s what you should know as it relates to the SRA for 2019:
- If you cannot attest YES to performing a 2019 SRA, you will automatically lose 25 points and will be unable to move forward in the Promoting Interoperability category.
- This means failure to perform an SRA will start you off 25 behind, meaning you could lose money.
- The adjustment for 2021 is +/- 7%, which means providers can either see a positive reward or a significant negative effect on their revenue.
- Failure to perform the SRA ultimately means you are ineligible for the “Exceptional Performer’s” bonus on your 2021 Medicare reimbursements.
Failure to conduct a risk analysis
As you can see, there are many reasons for performing a risk analysis, also referred to as the security risk analysis/assessment.
Not only is a risk analysis a HIPAA requirement, but a necessity if you want to maximize your MIPS score.
If your compliance program were to go under review by the OCR, you absolutely must be able to prove that your organization has conducted a thorough, enterprise-wide risk analysis. Not only will you need to show that proof, but you’ll also need to show that you’ve taken the identified security gaps and implemented a plan to address them.
Furthermore, cybercrime is dominating the healthcare industry. A risk analysis is an important tool to identify security gaps that could be used by cybercriminals to get into your network and compromise your PHI and your sensitive company data.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.
The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.
If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.