Throughout the past month, we’ve received several questions regarding Information Risk Management in healthcare. These questions come from both HIPAA Covered Entities as well as Business Associates. Many of these organizations are hearing different things about the upcoming OCR Audits from various sources. We at Clearwater want to be a guide to help navigate the often complicated world of compliance, so we have rounded up some of the common questions below along with some guidance and resources.

Here are the top 5 facts you should know about Risk Management.

1. What’s the difference between risk analysis and risk management?

In a nutshell, risk analysis is a systematic, rigorous process that is undertaken to identify all the possible ways in which a compromise of the confidentiality, integrity or availability of any sensitive information (electronic Protected Health Information [ePHI], in our case) may be compromised.  The main deliverable from a risk analysis is risk register or risk rating report prioritizing these possible compromises.

Risk management uses the risk rating report as the basis for making informed decisions with respect to these risks.  As a practical matter, these decisions typically include choices such as accepting a risk, avoiding a risk, mitigating a risk and/or transferring a risk.  Risk management decisions should result in lowering inherent risks to levels of residual risk that are acceptable to the organization.

2. How often must an organization complete a risk analysis?

The HIPAA Security Rule does not state whether a risk analysis is required with a specific frequency.  Industry best practice, across all industries, is to conduct a risk analysis at least on an annual basis and at the time of any major organizational, operational or technological change in the organization.

 3. What exactly do the HIPAA Security Rule risk analysis and risk management implementation specifications require? What is the language?

45 C.F.R. §164.308(a) (1) (i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Implementation specifications:
    • Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B)   Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

 4. Did HHS / OCR provide any additional clarification on the risk analysis and risk management requirements?

 Yes, HHS / OCR published a 9-­‐page PDF in July 2010 entitled “HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  The guidance specifies none (9) essential requirements as follows:

  1. Scope of the Analysis -­‐ all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
  2. Data Collection -­‐ the data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a) (1) (ii) (A) and 164.316 (b) (1).)
  3. Identify and Document Potential Threats and Vulnerabilities -­‐ Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a) (2), 164.308(a) (1) (ii) (A) and 164.316(b) (1) (ii).)
  4. Assess Current Security Measures -­‐ Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b) (1), 164.308(a) (1) (ii) (A), and 164.316(b) (1).)
  5. Determine the Likelihood of Threat Occurrence -­‐ The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b) (2) (IV).)
  6. Determine the Potential Impact of Threat Occurrence -­‐ The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b) (2) (IV).)
  7. Determine the Level of Risk -­‐ the level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a) (2), 164.308(a) (1) (ii) (A), and 164.316(b) (1).)
  8. Finalize Documentation -­‐ The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b) (1).)
  9. Periodic Review and Updates to the Risk Assessment -­‐ the risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)

5. How does HHS / OCR enforce compliance with the HIPAA Security Rule risk analysis and risk management implementation specifications?

The HITECH Act  mandated increased enforcement of all HIPAA regulations.  The increased enforcement includes, but is not limited to:

  1. Mandated audits -­‐ 2012, which began in pilot form in 2012 (115 Covered Entities were audited; 68% had adverse findings related to risk analysis)
  2. Increased Investigations, with focus on risk analysis and risk management. Following is a sample of language from a recent OCR Investigation Letter “Initial Data Request”:

“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.”

  1. SAG provided jurisdiction by The HITECH Act, with several civil suits already filed on behalf of their state’s citizens
  2. Mandated audits – 2015, HHS/OCR has announced that 350 Covered Entities and 50 Business Associates will be audited in the next wave expected to commence in January 2015. HHS / OCR has announced that the audit focus for the HIPAA Security Rule in this next wave will be risk analysis and risk management.

If you or your organization is  looking for assistance in establishing, and maturing your Risk Management program, Clearwater can help!

Since the HIPAA Security Rule is based on the NIST Security Framework and the HHS / OCR “HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule” refers heavily to the NIST Security Framework, we encourage organizations to study the compendium of NIST Special Publications  that comprise this framework.

Clearwater Compliance provides a full suite of resources and solutions to assist Covered Entities and Business Associates of all sizes establish, operationalize and mature their risk management program.  These resources and solutions include, but are not limited to:

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

 

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.