Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program.
Both HHS’ Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead HIPAA enforcer, found many organizations had failed to do a security risk assessment. CMS, which administers and oversees the Meaningful Use program, embarked on its on audit program in 2013. Similarly, they found a lack of properly-documented security risk analysis. Both government agencies carry significant enforcement sticks. OCR has the authority to impose civil monetary penalties for HIPAA violations. After paying several million dollars to an eligible hospital under Stage 1 meaningful use, CMS can demand its money back if a risk analysis is not up to snuff.
Thus, it is not wise to pursue a “minimum necessary” strategy or opt for a security risk analysis “lite.” During a December 2013 HIT Policy Committee meeting, OCR’s Sue McAndrew said that they agency will be focusing heavily on risk assessments during audits in 2014. OCR’s 2012-13 audit results found “risk assessment failures,” said McAndrew. “We wanted to bring those organizations into compliance and highlight the importance of risk assessments.”
Some covered entities were also surprised by the breadth and depth of CMS audits in regard to the security risk analysis details. In an article last Fall in Fierce Health IT, Methodist Hospital recounted how they learned during the MU audit itself that vulnerability testing and an annual HIPAA risk assessment alone may not suffice. A senior executive commented; “One unexpected areas of focus for us was that they dove pretty deeply into our HIPAA security risk assessment. We learned that the audit needs to specifically mention your EHR and your certified modules. They want proof the audits focus directly on your certified EHR technology and the version that you’re running.”
Redspin has provided HIPAA Security Risk analysis services to over 100 hospitals and many other covered entities and business associates. Our approach is comprehensive enough to pass muster with OCR and CMS, yet highly-focused and efficient. We look at policies, procedures and technical controls and identify gaps, weaknesses, and vulnerabilities. Naturally we include your EHR system security in scope, as well as other critical applications that store, process, and transmit PHI.
We believe that the HIPAA security risk assessment process is an invaluable exercise for your organization. Not only is it mandatory for compliance under the HIPAA security rule and required for Meaningful Use, it also provides great return on investment. PHI data breaches are costly. Based on a recent EMC Global IT Trust Curve Survey, health IT executives estimate that security breaches cost an average of $810,189 per incident. More significant breaches can run into the millions of dollars.
In addition to lowering your risks, a comprehensive HIPAA security risk assessment can serve as a road map for your organization’s information security management program (also a HIPAA requirement). Remember health IT security is not simply about compliance, not even just about privacy and confidentiality of PHI. Security is also about high availability and data integrity of electronic medical records. The HIPAA security risk assessment can and should be used to cost justify IT infrastructure upgrades, new software deployments, and increased IT security budgets.