Does your organization perform routine HIPAA Security Risk Analyses? If so, are those analyses adequate? Most healthcare organizations are undoubtedly performing routine risk analyses, but do those analyses meet all requirements of the HIPAA Security Rule? Following the “spirit” of the law but failing to follow the “letter” of the law can result in serious consequences including fines, negative publicity, OCR audits, and OCR corrective action plans.
The HIPAA Security Rule defines routine risk analyses as the very foundation of security compliance. While the Rule does not require a specific risk analysis methodology, it does require the scope of the analysis to encompass the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all electronic protected health information (ePHI) that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media.
The Security Rule also establishes certain objectives that the analysis method must contain. These include:
- Identification and documentation of “reasonably anticipated” threats
- Assessment of current security measures
- Assessment of likelihood of threat occurrence
- Assessment of threat impact
- Determination of risk level
- Final assessment documentation
- Periodic review and update
From this point, organizations should have an active risk management plan that addresses all physical, technical, and administrative vulnerabilities identified in the analysis. The plan should clearly outline remediation items, corrective strategies, resource assignments, and projected completion dates.
The overall regimen should include implementation of policies and procedures to prevent, detect, contain, and correct security violations. It is also important to demonstrate evidence that the remediation items are acted upon regularly, and that reasonable progress is being made based upon an organization’s resources. Keep in mind that open remediation items are still potential violations, so it is critical to resolve the outstanding issues as quickly as possible.
Don’t underestimate the complexity of HIPAA compliance. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies, and changes in business processes can make it difficult to stay in front of emerging threats. To ensure your organization has the appropriate physical safeguards in place, consider hiring a compliance partner to help navigate the process. They can design a customized approach for your organization that is tailored to meet your specific regulatory requirements and state statutes. Compliance with the Security Rule can prevent costly fines, lawsuits, and public relations headaches.