9 Mandatory Components According To HHS
Short of being audited by HHS/OCR and finding out that your healthcare organization in Chicago is in violation of HIPAA, the best way to determine this is to arrange for a HIPAA Risk Analysis by a qualified IT Service Provider who is experienced in HIPAA compliance and healthcare technology.
The HHS Security Standards Guide outlines nine mandatory components of a risk analysis that healthcare organizations and healthcare-related organizations that store or transmit electronically protected health information must include in their documentation.
According to HHS:
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”
What Does HHS Require For HIPAA Analysis?
1. The Scope of the Analysis
Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks. Network security between multiple locations is also important to include in the scope of the analysis and may include aspects of your HIPAA hosting terms with a third party or business associate.
2. Data Collection
Where does the PHI go? Locate where the data is being stored, received, maintained or transmitted. Again, if you’re hosting health information at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored.
3. Identify and Document Potential Threats and Vulnerabilities
Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution.
4. Assess Current Security Measures
What kind of security measures are you taking to protect your data? From a technical perspective, this might include any encryption, two-factor authentication, and other security methods put in place by your HIPAA hosting provider.
5. Determine the Likelihood of Threat Occurrence
Take account of the probability of potential risks to PHI—in combination with #3 Potential Threats and Vulnerabilities, this Analysis allows for estimates on the likelihood of ePHI breaches.
6. Determine the Potential Impact of Threat Occurrence
By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization. How many people could be affected? What extent of private data could be exposed—just medical records, or both health information and billing information combined?
7. Determine the Level of Risk
Take the average of the assigned likelihood and impact levels to determine the level of risk. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk.
8. Finalize Documentation
Write everything up in an organized document. There is no specified format for this, but it is required to have the analysis in writing. Make sure that any risks that you’ve identified be documented and a separation “Action Plan” for addressing those items is included. Your goal is to now address and correct all of those risk exposures as quickly as possible. Your next risk assessment should include those items and specify how your organization fixed them.
9. Periodic Review and Updates to the Risk Analysis
It is important to conduct a risk analysis on a regular basis. The HHS says that this guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. And that you (along with your IT provider) should determine the most appropriate way to achieve HIPAA compliance, taking into account the characteristics of the organization and its environment.
How Often Should We Get A HIPAA Risk Analysis?
While the Security Rule doesn’t set a required timeline, it is recommended for organizations to conduct another risk analysis whenever the company implements or plans to adopt a new technology or business operation. Any changes in your processes for handling or storing PHI should also trigger a new Risk Assessment. This could include switching your data storage methods from managed servers to cloud computing, or any ownership or key staff turnover.
Will We Actually Get Caught If We Don’t?
If your data is breached you will get caught. And fines will be levied against you based on the number of patients affected by the breach. Remember that anyone including your patients, their families, disgruntled ex-employees or Business Associates can report a perceived breach to HHS that could trigger an audit.
If the HHS/OCR decides to do a surprise audit and learns that you haven’t been conducting a risk analysis, you could also be found in noncompliance. There’s no excuse for not knowing that you have an obligation to protect PHI.
The majority of fines come under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard their patients´ personal information. Many of the largest fines (including the largest $5.5 million fine issued) are due to organizations failing to identify where risks to the integrity of PHI existed.
Keep in mind that, while HIPAA rules say that a Covered Entity cannot be sued by clients or their families for breaching patient data directly. Lawyers are using HIPAA violations in Civil Court as a failure of due diligence to adequately protect their client’s privacy and winning civil lawsuits against healthcare practices for neglect.
How Much Does A HIPAA Risk Analysis Cost?
Prices vary. If you are a small covered entity a HIPAA Risk Analysis typically costs around $2,500 for a small practice to upwards of $30,000 for larger healthcare organizations.
We are offering a Special Price of $1,495 for practices that have less than 25 computers.
We typically charge $200 a desktop, with a minimum of 10 desktops… so, this is a substantial discount.
Don’t wait until HHS/OCR comes to perform an audit and find out that you’re in noncompliance. It’s important to schedule regular HIPAA Analysis to protect your healthcare organization.
Visit our Tech Insights for more information about a HIPAA Risk Analysis, cybersecurity and Healthcare IT.