Understanding Risk Analysis Under HIPAA
Understanding risk analysis under HIPAA is crucial for providers. Overview: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets many rules and regulations to help create guidelines for healthcare providers (covered entities) to protect the integrity of personal health information (PHI). The HIPPA Security Rule specifically requires conducting a security risk analysis per 45 CFR 164.308(a)(1). Part of the risk analysis includes implementing updates as necessary and correcting identified vulnerability (or documenting why they did not take action to address the vulnerability).
Recently the healthcare industry has seen a renewed focus on having a risk assessment because the Omnibus Rule expanded the requirements of the Security Rule risk analysis to healthcare vendors that access personal health information (Business Associates). Additionally, many providers have a new interest to have a compliant risk assessment in order to achieve Meaningful Use and receive incentive funds. Many providers and vendors are under a false assumption that they have correctly conducted a risk assessment and are compliant with the regulations but that is not always the case. The industry has seen recent evidence that many organizations are not meeting the risk analysis requirements.
Many organizations conduct their assessment, check it off their list and falsely assume they met the requirements. This is apparent through the recent random compliance audits spearheaded by the Centers for Medicare & Medicaid Services and the Office for Civil Rights (OCR). Furthermore, risk analysis deficiencies are commonly uncovered during security incidents and investigations. Many organizations are not thorough enough, do not have the proper documentation, did not take action to mitigate identified risks, or have not revisited a risk analysis after a significant change to their security program.
Many organizations conduct a risk assessment and check it off their list. They assume their assessment was thorough enough and that it met regulatory requirements but that is often not the case. It is evident from the findings from security incidents and investigations, and the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) random compliance audits that many organizations have an inefficient risk analysis process.
These discrepancies and inefficiencies can lead to hefty financial penalties from OCR, as well as having to pay back Meaningful Use incentive dollars. Don’t be one of the covered entities or business associates that falsely believe that a risk assessment is inapplicable to them. If you have a risk analysis process in place, don’t be one of the organizations that is investigated or randomly audited and caught without a proper risk assessment that meets regulatory requirements.
Your organization should understand the following:
Risk analysis requirements under the HIPAA Security Rule and Meaningful Use Stage 1 and 2
Who is required to have a risk assessment
The importance of risk analysis
Methodology when conducting a risk assessment
The NIST Risk Analysis
If they do not have these issues covered, it would be wise to bring in an outside expert to educate them and assist in setting up the best risk analysis program.
If you found this article to be informative please share and like it.
More: Government policy