HIPAA Risk Assessments - why are they important and how to avoid the pitfalls?

During the past few years, there has been a significant increase in the number of data breaches reported, including those related to hacking and criminal behavior by employees – even at organizations thought of as having world class information security. In addition, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is re-invigorating their Health Insurance Portability and Accountability Act (HIPAA) compliance auditing and will include business associates of covered entities. HHS requires all healthcare entities, from small provider groups to large health systems to continuously assess risks and vulnerabilities to their data and develop a plan for reducing the risk of a data breach. The laws require all covered entities and their business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI it holds (45 C.F.R. 164.308(a)(1)(ii)(A); to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, pursuant to 45 C.F.R. 164.308(a)(1)(ii)(B); and to implement security measures to guard against unauthorized access to ePHI transmitted over an electronic network ( 45 C.F.R. 164.312(e).HIPAA risk assessments are a cornerstone of an effective HIPAA security program in properly securing electronic Protected Health Information (ePHI). The risk assessment helps to identify what risks and vulnerabilities exist in the environment and manage those risks and vulnerabilities effectively. Some of the most common pitfalls that can derail a HIPAA risk assessment include:

1. Relying too heavily on Sarbanes-Oxley (SOX) controls, Service Organization Controls (SOC) 1 reports, and/or financial statement audits.

While there will be some opportunities to leverage previously conducted risk assessments or audits to identify controls throughout an environment, SOX controls, SOC 1 reports, and financial statement audits are performed to assess and mitigate risks related to financial statements, not ePHI. When performing an effective HIPAA risk assessment, management should step back from existing assessments and make sure that they are appropriately focused on controls that secure ePHI. This typically means starting with a blank slate, then populating controls as needed once all of the ePHI has been properly identified. This point leads to pitfall number 2 …

2. Not identifying all of the ePHI within the organization.

Many times risk assessments only focus on where ePHI is “supposed to be” not “where it could be”. It is important to not just look at where ePHI should be, but also consider the other places ePHI could be. Many organizations incorrectly assume the risk assessments they performed as part of their Electronic Health Records (EHR) implementations will cover all ePHI. Those risk assessments and systems generally were narrowly focused on the EHR systems and often didn’t take into account an organization wide view of where ePHI may reside. A HIPAA risk assessment needs to look beyond just the EHR to be effective. Thumb drives, local hard drives, email, mobile devices, and fax and copiers are often overlooked as places that ePHI could intentionally or unintentionally reside and be at risk.