By Richard Bailey, lead IT strategist, Atlantic.Net.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
Areas of risk are highlighted, and a roadmap is created for the CE to become HIPAA compliant. Most risk assessments follow the NIST cybersecurity framework, and the NIST schema is a straightforward but highly productive process. There are five essential parts of the NIST framework, and these are; Identify, Protect, Detect, Respond, and Recover. The OCR takes this further with the nine essential elements of Risk Analysis but either framework covers similar topics.
Why is a HIPAA Risk Assessment So Important?
Organization-wide risk analysis and assessment is a mandatory part of a HIPAA audit, if you are unable to provide evidence of a valid risk assessment, the business will fail the audit and will likely be fined by the Office for Civil Rights (OCR). It is a mandatory task because it will identify areas within the business where PHI might be at risk, as well as identifying the likely threats you face.
The fines vary from business to business, and because all breaches to HIPAA compliance must be made public, non-compliance can damage reputation, profitability, and patient happiness. The breaches vary from the “Did not Know” to “Willful Neglect” HIPAA violation categories.
The risk assessment brings some definitive advantages, the assessment creates a baseline about PHI data collection. It identifies what PHI is processed, stored, and transmitted, as well as the risks or hazards to the security, integrity, and availability of PHI.
The baseline will help to identify what threats you face with your current technical solution, as well as what current protective measures are in place, and the areas that need to be improved. As this process must be documented, it creates a reference point to identify PHI and document any potential threats and vulnerabilities to data integrity.
It directly relates to the required HIPAA administrative, physical and technical safeguards. Comparisons are made between the existing safeguards already in place and the expected safeguards of the legislation. The comparisons might include user authentication, access control, data, and network encryption techniques, etc.
The risk assessment aim is to determine how likely the covered entities protected health information can be breached in its current configuration. Understanding what services are weak to the common threat vectors used by hacking groups, including the impact a successful breach will have, together with determining the overall level of risk.
No organization has a perfect risk assessment, there is always room for improvement and the risk assessment is designed to be an evolving document that is updated and the recommended actions are completed within the desired timeframes.
After completing the initial risk assessment, and the roadmap has been designed the covered entity and business associate must work together to remediate all of the issues identified within a stipulated time frame. This is not optional, it simply must be completed to achieve compliance. This is one of the significant reasons why covered entities often choose to outsource the technical solutions to a HIPAA compliant hosting partner.
The Final Omnibus Rule firmly puts the responsibility with the business associate (the hosting partner) to complete the risk assessment actions. The good news is that a reputable hosting provider will already have a compliant infrastructure that can be leveraged.
This will appease the technical safeguards and many of the physical safeguard requirements of HIPAA. Allowing the much more manageable administrative requirements to be assessed by the covered entity.