Risky Business: Why Providers Need A (Real) Security Risk Analysis

HIPAA compliance is a journey, not a destination. While that’s not exactly a new revelation, it bears repeating until it sinks in across the healthcare industry, including the businesses that serve them. The importance of HIPAA compliance is taking on even more importance with the imminent arrival of Meaningful Use (MU) Stage 3 and its ramped-up emphasis on securing patient health data. The number one requirement: perform a risk analysis of this data — also known as protected health information (PHI) — that conforms to HIPAA security and privacy standards.

Those tasked with applying this assessment to their PHI should avoid viewing it as a “once and we’re done” action item. HIPAA compliance is a continuous endeavor, despite some free or cheap services out there which contribute to the erroneous impression that it isn’t. The companies behind these services hand out lists of questions about PHI security, many of which healthcare systems/providers (and their business associates) don’t really know how to answer.

The Right Way To Conduct A Risk Analysis
Probably the most common lack of awareness centers on PHI inventory, including where it’s stored and who has access to it. Yet in the wake of an actual breach, the first question organizations will be asked is if they can provide a full accounting of their PHI. If they can’t, it’s a given they won’t be able to prove measures are in place to safeguard this data. Interaction with a data security professional on this topic is needed, but typically isn’t part of the cheap and fast checklist “solution.”

By contrast, a healthcare data security expert will zero in on the issue right away. Another tell-tale sign of such an expert: their IT infrastructure has achieved Common Security Framework (CSF) Certified status from the Health Information Trust Alliance.

One of the first points of discussion will concern the organization’s “book of evidence” — that is, the book of documentation that proves compliance with HIPAA’s 52 safeguard requirements surrounding PHI’s physical environment, such as the data center or building where it resides; the technology that secures and houses PHI; and administrative safeguards, such as password protections.

Not surprisingly, many organizations don’t have this book. But the question does help to launch productive discussion and exercises surrounding compliance with these safeguards. Further, by the end of the actual risk analysis — which can span numerous onsite visits and typically take about six weeks — organizations have this all important book of evidence in hand. In 2016, many are going to need it. The latest projections show that 10 percent of providers who attested for MU Stage 2 can expect to be audited.

On that note, what should organizations do if they receive notice of a HIPAA compliance audit from the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology? The first instinct may be to panic, quickly followed by a second instinct to pass this on to someone else in the organization to “look into.” There’s a better and third alternative — consult with an expert who is versed in both HIPAA compliance and remediation.

A Risk Remediation Plan In Hand
One of the most important advantages of getting a data risk analysis from a healthcare data security expert is that you can expect this same professional to create a remediation plan for any gaps and problems found during the initial assessment. This gives a clear idea of what needs to be fixed, how to fix it, and just as importantly, how to sustain the fixes. Incidentally, it also forms the basis of a new book of evidence of HIPAA compliance. Of course, true HIPAA compliance is never just something that is gained — but rather, a state of data security that must be rigorously maintained. That begins with a comprehensive assessment of the true level of risk.

About The Author
Carl Kunkleman is senior vice president and co-founder of ClearDATA, a healthcare exclusive provider of cloud computing, platform and information security services. He is a healthcare industry veteran with 25 years of experience in pharmaceuticals, diagnostic, medical software and healthcare professional services. He founded U.S. Healthcare Compliance, a best-in-class HIPAA security and privacy services company, which ClearDATA acquired in 2011.