The Health Insurance Portability and Accountability Act’s Security Rule sets forth standards, implementation specifications, and requirements for the security of electronic protected health information (“ePHI”) by covered entities and business associates.1 Perhaps one of the most confounding required implementation specifications within the Security Rule is the risk analysis. In addition to being expressly required under the HIPAA Security Rule, a risk analysis is also a requirement for eligible professionals and hospitals to satisfy meaningful use of electronic health record (“EHR”) requirements under both Stage 1 and Stage 2 of the EHR meaningful use incentive program.2 The Office of the National Coordinator for Health Information Technology (“ONC”) recently released an updated tool to assist providers in performing their risk assessments. This article explains the risk analysis requirement under HIPAA and analyzes both benefits and potential weaknesses of ONC’s new tool.
HIPAA’s risk analysis provision requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [their] electronic protected health information.”3 Vulnerabilities are “flaw[s] or weakness[es] in system security procedures, design, implementation, or internal controls that could be exercised…and result in a security breach.”4 Weaknesses may be non-technical, such as failing to implement effective policies, or technical, such as insufficient information security configurations. Where there are vulnerabilities to ePHI, there are threats – opportunities to trigger or exploit the flaw or weakness. Analyzing risks to ePHI involves identifying vulnerabilities, threats, and the likelihood that identified threats may exploit the vulnerabilities.
The scope of this identification and assessment of vulnerabilities and threats extends to ePHI created, received, maintained, or transmitted in any form or medium. ePHI may be located on any hard drive, CD, DVD, laptop, workstation computer, USB drive, floppy disk, memory card, server, or any other electronic media. After identifying locations of ePHI, an organization needs to determine what threats and vulnerabilities exist, the relative likelihood a security incident will occur, and corresponding criticality of an incident related to the organization’s weaknesses. During this analysis of risks, organizations should inventory and record measures they already have in place to protect against identified threats and vulnerabilities. The output will help the organization identify where the greatest risks to the confidentiality, integrity, and availability of ePHI remain.
Common Misperceptions of the requirement
The plain text of the risk analysis requirement within the Security Rule leaves much room for confusion and misperception. Certain myths have circulated throughout the industry, creating risks for covered entities and their business associates’ HIPAA compliance programs and consequently to the protection of ePHI.
- Risk Analyses Are Not Optional. Risk analysis is a required implementation specification for the security management standard within the HIPAA Security Rule. Any implementation specification indicated as “required” must be implemented by covered entities and business associates.5 One of the Office for Civil Rights’ (“OCR”) primary findings from its 2011-2012 HIPAA audit pilot program was failure of audited entities to complete a thorough and accurate risk assessment.6
- Merely Implementing Security Measures Does Not Satisfy the Risk Analysis Requirement. Adopting general administrative, physical, and technical safeguards is required by HIPAA. Promulgating safeguards, however, are HIPAA requirements that are separate and distinct from the risk analysis. The risk analysis considers the effectiveness of safeguards a provider has selected, allows the provider to detect gaps between HIPAA requirements and current processes, and aids in the identification of remaining vulnerabilities the provider can continue to improve upon.
- Completing A Checklist Alone Is Likely Insufficient. While checklists can help inventory HIPAA’s security requirements and aid in the identification of locations of ePHI or other components of the risk assessment, checklists alone will most likely fall short of explaining threats and vulnerabilities to ePHI and documenting an organization’s existing security measures. Checklists frequently fail to meet the risk analysis requirement because they are too prescriptive, require only yes or no responses, and do not detail with specificity the array of safeguards selected by a provider unique to that organization and evaluate risks specific to the provider’s unique security environment.
- Even Entities Without EHRs Must Conduct a Risk Analysis. Any individual or organization that is a covered entity or business associate under HIPAA must conduct a risk analysis. A law firm that occasionally assists healthcare providers in performing healthcare operations through use of ePHI, for example, must conduct a risk analysis even though the organization does not use an EHR for the ePHI it receives, maintains, or uses.7
- Risk Analyses Must be Performed Periodically. A common misconception is that once a risk analysis has been conducted, an organization has satisfied the requirement under HIPAA and need not perform the assessment again. In reality, risk analyses should be conducted periodically at a frequency based on factors such as changes in technology being utilized, staff turnover, and change in ownership, for example.8 The OCR, which enforces HIPAA, has indicated that a risk analysis should be conducted at least when an EHR is implemented, and annually thereafter.9 Covered entities attesting to meaningful use must be aware that a risk analysis must be performed for each reporting period they attest under, no later than the last day of the reporting period.10
ONC’s New Risk Assessment Tool
The release of ONC’s updated risk assessment tool in March 2014 improves upon previous tools made available by ONC and by the National Institute of Standards and Technology through use of a new, user-friendly self-contained application walking users through the Security Rule and prompting the user for responses to facilitate the administration and documentation of a risk analysis.11 The timing of the tool’s release, following OCR’s initial round of pilot HIPAA audits finding substantial deficiencies among providers in satisfying the Security Rule’s risk analysis requirement but preceding the next round of audits of covered entities under the permanent audit program, may be indicative of OCR’s focus on providers’ compliance with the risk analysis requirement.12 The new tool also follows a landmark settlement between a covered entity and OCR in 2013, marking the first settlement involving fewer than 500 patients for “potential violations” where the OCR specifically noted during its investigation of the entity the provider “had not conducted a risk analysis”.13
Analyzing the Assessment Tool
ONC’s new Risk Assessment Tool is designed for small to medium-sized entities. Once the tool is downloaded, entities can identify users who will be inputting data into the tool, document their organization’s contact information, identify business associates, and inventory its assets which may create, receive, maintain, or transmit ePHI. Identification of business associates and asset inventory is particularly helpful as a preliminary step to completing the assessment so organizations can be mindful of where its ePHI may be located which requires careful consideration during the analysis.
The tool walks users through each Security Rule standard and implementation specification, prompting the user to indicate if his/her organization has addressed the particular security provision. Organizations should be mindful, however, that simply marking yes or no to each question will be insufficient to satisfy the risk analysis requirement under HIPAA because the provider must explain affirmative responses by noting how it has addressed the requirement or, alternatively, describing why it has not addressed a particular measure. Next to the language of the standard are helpful reminders organizations should remember to consider, such as important definitions, examples of related threats and vulnerabilities, and examples of safeguards the organization may consider adopting in response to the security provision. Organizations should then narratively describe their current activities and measures in place to address the requirement.
Benefits of the Tool
The Risk Assessment Tool has operational benefits in addition to providing assistance with performing and documenting a security risk assessment. The application may, for example, serve as a good resource for an inventory of the organization’s business associates and subcontractors and their contact information. The tool’s preliminary asset inventory also permits an entity to designate an individual or department who is responsible for each asset which may create, receive, maintain or transmit ePHI within the organization.
Once completed, the entity can view its responses to each security provision. A chart view enables the organization to identify low, medium, and high-ranked threats by category – administrative, physical, or technical. Finally, the entire analysis can be exported to .pdf in a user-friendly, readable format displaying the date of the report which may aid in the production of the risk analysis to OCR upon an investigation or to The Centers for Medicare & Medicaid Services (“CMS”) in the event of an audit of a covered entity’s meaningful use attestation. The application is currently available in both a Windows desktop and iPad version available for free download. All data documented in the application is stored locally; none of the information is transmitted to the OCR or otherwise collected or published by the government.
Shortfalls of the Risk Assessment Tool
The quality of an organization’s risk analysis using the tool is, of course, only as good as the data being entered. If a covered entity or business associate does not identify all locations of ePHI, does not document its current activities, or does not indicate the likelihood of risks manifesting and the related impact of possible security incidents, the organization’s risk analysis will likely fall short of HIPAA’s requirements. Providers should understand the tool, in and of itself, will not necessarily result in a presumption of compliance with the Security Rule, nor with the risk analysis requirement.14 ONC also warns providers of other limitations of the tool. While an organization can designate multiple users within the application, only one user can be in the tool at a time. Additionally, the application is not currently available in a MAC-compatible format. In response to concerns the tool is only designed for small to medium providers, OCR notes the National Institute for Standards and Technology offers a HIPAA Security Rule Toolkit – a free, more robust, publicly available tool to respond to the needs of larger providers.15 Further, the tool is not a comprehensive HIPAA compliance instrument; it does not cover HIPAA Privacy Rule requirements.
Another important shortfall for entities and business associates to be aware of is the documentation of addressable and required implementation specifications. Even when a security specification is required, the organization may indicate it has not implemented the measure. Organizations should be aware that such a response to a required specification or standard should trigger affirmative action to determine the most appropriate way to implement the measure.16 Further, when indicating an addressable specification has not been implemented, organizations should be aware of their obligation under HIPAA to document why it is not reasonable or appropriate for them to have implemented the specification. If a specification is addressable, the entity should determine if it would be reasonable and appropriate to adopt the specification given the organization’s resources, relative cost of the measure compared to its resulting contribution to the security of ePHI, and other capabilities or limitations of the organization. If the entity determines it cannot reasonably and appropriately implement the addressable specification, it should implement any reasonable alternative and document why it could not comply fully with the specification. The Risk Analysis Tool provides fields where users can indicate the primary reason they cannot comply with an addressable specification.
Finally, the tool does not walk users through an analysis of threats and vulnerabilities related to each measure. It does suggest common threats and vulnerabilities as notes to each security measure, but to fully satisfy the documentation requirement that OCR has instructed providers include, threats and vulnerabilities should be evaluated and recorded with specificity in connection with the provider’s existing measures and the gaps they may leave to information security.
ONC’s updated risk assessment tool is user-friendly and an excellent resource to ensure that an organization addresses all security standards. However, entities must understand the thorough documentation that must accompany its data selection fields in order to fully and properly comply with HIPAA’s security risk analysis requirement.
See 45 C.F.R. § 164.302 et. seq.
75 Fed. Reg. 44314, 44369 (July 28, 2010) (identifying a security risk analysis according to 45 C.F.R. § 164.308(a)(1) as a Stage 1 meaningful use requirement for both eligible professionals and eligible hospitals); 77 Fed. Reg. 53968, 54003 (Sept. 4, 2012) (requiring a security risk assessment under Stage 2 of meaningful use). The meaningful use incentive program was created by the HITECH Act in 2009.
45 C.F.R. § 164.306(a)(1)(ii)(A).
Gary Stoneburner et al., Risk Management Guide for Information Technology Systems, Department of Commerce’s National Institute of Standards and Technology Special Publication 800-30 (July 2002).
45 C.F.R. § 164.306(d)(1)-(2).
Sanches, Linda. "2012 HIPAA Privacy and Security Audits." National Institute of Standards and Technology, (June 7, 2012), available at http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf.
45 C.F.R. § 164.306(c)-(d), 45 C.F.R. § 164.308(a)(1)(ii)(A), See 45 C.F.R. § 160.103 (defining business associate as including persons who perform legal services on behalf of covered entities involving use or disclosure of protected health information).
Office for Civil Rights Security Risk Analysis Guidance (July 14, 2010).
See Top 10 Myths of Security Risk Analysis, Office of the National Coordinator for Health Information Technology (April 21, 2014), available at http://healthit.gov/providers-professionals/top-10-myths-security-risk-analysis.
75 Fed. Reg. 44314, 44369 (July 28, 2010) (explaining “[eligible professionals] and eligible hospitals conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period. The testing could occur prior to the beginning of the EHR reporting period.”); See generally Top 10 Myths of Security Risk Analysis, Office of the National Coordinator for Health Information Technology, available at http://healthit.gov/providers-professionals/top-10-myths-security-risk-analysis.
“HIT Security Risk Assessment Tool”, ONC Health Information Technology Resource Center. (October 21, 2011) available at www.healthit.gov/sites/default/files/tools/hit_security_risk_assessment_tool_v1.0_revised-1_0.xlsm, “HIPAA Security Rule Toolkit”, National Institute of Standards and Technology (November 21, 2011) available at http://scap.nist.gov/hipaa/.
See 42 U.S.C. § 17940 (requiring the Secretary provide periodic audits of covered entities and business associates subject to HIPAA), 79 Fed. Reg. 10158, 10158-10159 (February 24, 2014) (notification from Department of Health and Human Services the Office for Civil Rights plans to conduct HIPAA audits of 1,200 covered entities and business associates).
|13||Department of Health and Human Services. (January 2, 2013) HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients [Press Release]. Retrieved from http://www.hhs.gov/news/press/2013pres/01/20130102a.html.|
Office for Civil Rights Security Risk Analysis Guidance (July 14, 2010).
“HIPAA Security Rule Toolkit”, National Institute of Standards and Technology (November 21, 2011) available at http://scap.nist.gov/hipaa/.
45 C.F.R. § 164.306(d)(3) (requiring covered entities and business associates to implement the addressable specification if reasonable or document why it would not be reasonable to implement the measure and implement a reasonable, equivalent alternative measure).