Back to Basics: Focus on Risk Assessments for HIPAA Compliance
A recent HIPAA settlement shows that many practices still are not complying with the basics of the regulations. A gastroenterologist in Ogden, Utah, paid $100,000 to the US Office for Civil Rights (OCR) this spring after reporting a breach related to a business associate. When OCR investigated the complaint, they found that the doctor’s practice had never completed a risk assessment, and even with support from OCR, he did not sufficiently mitigate his risks. In an OCR statement, Roger Severino, the organization’s director, said not implementing HIPAA basics continues to be an “unacceptable and disturbing trend” in healthcare.
A risk assessment is the heart of a practice’s compliance plan. It tells a medical group what information should be protected, where it is held, and potential threats and vulnerabilities in their computer system.
Jen Stone, a Principal Security Analyst at SecurityMetrics Inc., of Orem, Utah, said she sees plenty of practices—most often small ones—that fail to perform risk assessments. More than 2 decades after HIPAA was enacted, solo and smaller practices regularly continue to be out of compliance. Regardless of the challenges a smaller group might have, a risk assessment is a baseline for any HIPAA program. The cost of this assessment is considerably less than an OCR fine. In addition, HIPAA compliance officers would follow the group closely for years.
There are many ways a practice can slip up. Carl Kunkleman, Senior Vice President and co-founder of ClearDATA of Austin, Texas, a company that provides HIPAA risks assessments and healthcare data security services, offered as an example a woman in her 70s who received a call from somebody at a tire store informing her that a printer was printing out receipts and her cholesterol records came out with them. It turns out the printer was formerly owned by her doctor, who did not erase the printer’s memory before getting rid of it. Scared, she called the clinic for an explanation.
“Your information is your lifeline,” Kunkleman said. “Statistics show that a doctor who loses PHI loses 40% of their practice, which would put most doctors out of business.”
Performing a risk assessment through a third-party can run around $5,000, according to Kunkleman. Not cheap, but less expensive than a $100,000 fine and remediation costs like an attorney or forensic investigator. A risk assessment requirement is also typically part of Medicaid funding initiatives like meaningful use and MIPS/MACRA (Merit-based Incentive Payment System/Medicare Access and CHIP Reauthorization Act).
Small practices tend to be lax on HIPAA compliance for a variety of reasons. For example, staff may be overworked or not have the knowledge to manage compliance. Perhaps practices believe they are too small to get the attention of OCR or malicious actors. But OCR fines even the smallest of medical groups. In addition, automation has changed the way hackers attack, Stone said. Much of hackers’ time is spent automating attacks that seek any systems with vulnerabilities, such as unpatched software flaws.
If organizations do not have the knowledge or resources to perform an in-house risk assessment, they need to choose the right external group to do it for them. Most commonly practices hire a local IT firm that says they can handle HIPAA compliance.
Even the IT firms know how to perform the required safeguards, doing so may not be in their contract, said Chris Apgar, CEO and president of Apgar & Associates.
“We find relatively often with smaller practices that have outsourced their IT to a managed services provider that they believe the MSP [managed service provider] does everything; but they don’t do it if it’s not in the contract,” he said.
There’s a risk analysis tool on OCR’s website meant specifically for smaller organizations. Stone warns, though, that no single person should tackle it on his or her own. An IT person will know where information is stored, but a nurse is going to know how it is used.
“No one has enough knowledge of how information is received or created or the business practices that cause it to move from one place to another,” Stone said. “If you start looking through the OCR tool and don’t know the answers, ask who would and make sure that person is part of the collaborative risk assessment team.”
Apgar said the process could take more than 20 hours to put together, assuming an organization has good information and templates. He also recommends involving providers. They should be educated on HIPAA and risk assessments, just like the rest of the team. Also, change like this is most successful when it comes from the top.
“You have to say, ‘This is important, and this is why we are doing this,’” Apgar said. “Staff need to know this is something that is important and it’s worth their time to pay attention and do seriously.”
If a practice has tried unsuccessfully to perform a risk assessment, it may be time to look outside for help. Kunkleman said a good option is to have an external group perform the first assessment and then work from it in the following years.
A benefit of using an outside vendor to perform a risk assessment is they can help a practice understand its most urgent vulnerabilities. They also know that mitigation must be reasonable and not overly burdensome for a practice. A group may have to get encryption for a couple of laptops that are higher risk or ensure doors are locked in a room where phi is stored.
Organizations typically prioritize the issues that put them at the highest risk. Then, if they have extra bandwidth, they can tackle the low-hanging fruit. OCR essentially wants to know a practice has performed a risk assessment and is making progress toward mitigation. A practice that makes strides – even small ones – will be more likely to avoid or reduce a settlement should an information breach occur.
“HIPAA compliance is a journey, not a destination,” Kunkleman said. “Showing you have a culture of compliance and that you are actively policing yourself takes you out of the fine book. A fine like $100,000 or more could break a practice.”