During the COVID-19 pandemic, the Health and Human Services (HHS) Office for Civil Rights (OCR) relaxed its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) to allow providers to use consumer-grade video conferencing tools. But this temporary waiver doesn’t mean other HIPAA obligations are waived.
Healthcare organizations that violate HIPAA face steep penalties. If it’s a genuine mistake, the fine is $100 to $50,000 per violation, with a maximum penalty of $25,000 per year. If it’s something you knew about or should have known about, called a Tier 2 offense, each violation could cost you $1,000 to $50,000, up to a maximum of $100,000 per year. At Tier 4, you could be looking at $50,000 per violation, up to $1.5 million per year.
This is why, even when waivers are in place, a HIPAA risk assessment is so important.
Why a risk assessment is critical
HIPAA violations don’t just extend to slips that expose protected health information (PHI). One of the most common HIPAA violations is failing to conduct an adequate risk analysis. According to legal experts, this violation appeared in almost all of the settlements over $1 million that the OCR reached in a one-year period from 2017 to 2018.
One of the reasons this violation is so common could be due to confusion about what a HIPAA risk assessment is and how to conduct one. A risk assessment is a pretty involved process, and it’s not something that can be done in a few hours. It takes time and effort, but in the end, it gives you a full picture of where you stand and how you can mitigate potential risks.
What is a HIPAA risk assessment?
The HIPAA risk assessment is part of the HIPAA Security Rule. This rule sets out the security standards for HIPAA, both in the physical world and the virtual world. It applies to health insurance companies, healthcare providers, and any business associate, like a software vendor, that handles PHI.
In general, the Security Rule requires that these entities take all reasonable measures to keep PHI safe. That means protecting against any threat that can be anticipated, including the wrong people accessing PHI, as well as ensuring that employees comply with HIPAA.
When you conduct a HIPAA risk assessment, you’ll evaluate any threats to PHI, as well as the impact those threats have. You’ll also put into place appropriate security measures to mitigate those threats, like requiring employees to use strong passwords. Make sure you document these measures.
How to conduct a risk assessment
Healthcare organizations and other entities can start their HIPAA risk assessment using a tool developed jointly by the Office of the National Coordinator for Health Information Technology (ONC) and the OCR. The Security Risk Assessment (SRA) tool is downloadable software that guides organizations through the risk assessment process.
To use this tool, download it to your computer and follow the prompts. The data is stored only on your computer or tablet; it isn’t collected and sent to the cloud. No one but you and your IT team will see what your risks are.
After conducting your assessment with the SRA, you’ll receive a report that will help you identify the risks in your organization. This includes policy, processes, and technology risks that you may not be aware of so that you can resolve any issues.
Getting deep into IT infrastructure
Because so much hinges on technology these days, assessing your IT infrastructure — the software and hardware you use to store and transmit patient data — needs to be part of any HIPAA risk assessment. Look at anything you use in your physical location, as well as cloud services.
First, consider where PHI is stored. You’re not just looking at your electronic health record (EHR) and patient billing systems; you might be storing patient data in emails, spreadsheets, or other systems. Look at the past and current ways you’ve been using and storing PHI by reviewing projects, interviewing employees, and going through your documentation.
Next, look at where you’re vulnerable to threats. For example, you might not be updating your computer systems when patches come out. These patches often take care of security issues that hackers can use to gain entry into your system. You might also want to look at the passwords you and your staff are using to access the system. If they are too simple or things that could easily be guessed, this could expose PHI as well.
Also look at the likelihood of a threat coming to fruition and what the impact would be. A lot of organizations think, “No one will want our data! We’re just a little practice!” But that’s not the case; 53 percent of healthcare organizations have had a PHI breach in the past 12 months. If this happens to you, not only could you face fines, but you could also lose patients.
In addition, you need to document the HIPAA risk analysis you conduct and the steps you’re taking to protect patient information. There isn’t a specified format, but be as thorough as possible so that you can defend it.
Finally, periodically review and update your HIPAA risk analysis. This will ensure that you’re keeping up with potential threats that could be introduced by a new system or that you discover as you’re training employees.
The importance of a HIPAA risk assessment can’t be overstated. Without knowing your risks, you’re leaving yourself open to exposing PHI. In turn, that can lead to hefty fines from the OCR. But when you know your risk factors, you’re in a better position to mitigate them and stay HIPAA compliant.