The healthcare industry lives and breathes one golden rule: HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act, came into effect in 1996 as a federal statute.
HIPAA is a federal law containing national standards to protect sensitive private health information from being disclosed without the patient’s knowledge or consent.
To be compliant with HIPAA, covered entities and business associates must conduct risk analysis and implement risk management so they can show they are taking preventative measures to maintain the privacy and security of protected health information (PHI).
However, due to the complexity of the official statutes, many people are left confused about exactly what they should be doing.
Handling protected health information is a serious matter, and no one wants to violate HIPAA. To get a good grasp of what you need to do in order to stay compliant, you have to gain a full understanding of HIPAA risk management.
Thorough risk analysis is the cornerstone of HIPAA compliance, according to the U.S. Department of Health and Human Services (HHS) which enforces HIPAA. An organization's risk analysis will be the first thing evaluated by regulators investigating a complaint or a major breach. Get it right before an investigation happens and rest easier knowing you've done as much as you could.
Neither of these things is of any use without the other. They are inter-dependent and inter-connected. HIPAA risk management cannot exist without HIPAA risk analysis, and risk analysis is not actionable unless used by risk management. HIPAA requires both to be used together.
HIPAA risk analysis is the methodical step-by-step method required of covered entities and business associates to identify and understand risks to the privacy and security of PHI, gaps in their HIPAA compliance, and the nature and seriousness of the risks and gaps that are.
HIPAA requires that all PHI be protected, whether it's on paper or in electronic format. Electronic PHI is sometimes referred to as ePHI.
Though some organizations are under the impression that one risk analysis is enough, they are mistaken. Best practices require risk analysis at least once a year to permit occasional modifications needed as circumstances change. It is also advisable to conduct a risk analysis in response to a move, opening a new location, a major data breach or a series of small breaches.
Security Risk Assessment is Included
Risk assessment is a term commonly used to refer to the risk analysis required by the HIPAA Security Rule. Basically, it refers to the assessment of risks and vulnerabilities of electronic protected health information, or ePHI. A complete HIPAA risk analysis done properly will include a security risk assessment.
IT staff and security experts are essential partners in strong HIPAA compliance. They are on the front lines keeping IT systems secure and protecting electronic data of all kinds, including patient information.
According to HHS, the National Institute of Standards and Technology (NIST) procedures for assessing and managing risks to electronic data set the industry standard for good business practices. Therefore, The HIPAA E-Tool® uses the NIST procedures and terminology from its SP 800 series of Computer Security Publications. However, the E-Tool explains the procedures in plain language and organizes them in step-by-step interactive forms that can be used easily by people who are not IT specialists or security experts.
If you didn’t notice, there are not any specific steps outlined in the risk analysis. Because of this, everyone generally follows the same steps but with slight degrees of variation. The variation, along with human error, sometimes causes gaps in the risk analysis that can be devastating to the privacy and security of PHI.
Being concerned about your organization’s compliance with HIPAA is a good thing. You are absolutely right to regard compliance as a pressing concern, since failing to meet HIPAA standards can cause a loss of critical patient information, create electronic records (EHR) downtime, and damage your reputation.
Worse, legal problems are also on the table depending on the level of negligence. HHS can impose civil penalties for non-compliance, but states can also sue organizations for failing to follow HIPAA or state privacy laws. Another risk is the rise in private lawsuits by patients whose data is breached, who claim healthcare organizations have been negligent in the way they protect and keep their data secure. Although HIPAA does not give patients a right to sue, creative lawyers use state laws and negligence and contract law to make their claims. They will hold up HIPAA as a standard of care. If an organization did not follow HIPAA, this is evidence that they may have been negligent.
With the right guidance though, there are easy ways to improve your compliance with a HIPAA risk analysis.
A Risk Analysis is an inventory of locations and risks to protected health information.
• The inventory must include both electronic and non-electronic information
• It must include every location
• Do it once a year
Risk Management is a plan to reduce the risks you identify. It does not require perfection, or budget-breaking changes.
• Put in place “Administrative, Technical, and Physical Safeguards” to protect PHI
• Reduce risks to a reasonable and appropriate level
• Work on it throughout the year
Risk analysis uncovers risks (once a year) and risk management helps you reduce risks (throughout the year). Risk analysis will occur first, and the HIPAA risk management plan will flow from the findings in the risk analysis.
Just by searching the internet, you can find the core steps to conducting risk analysis. The first is always detailing the organization’s PHI. If you want to seriously protect PHI, then you need to know all of its locations, every channel it has passed through and the identities of all staff and third-party vendors who have access to it.
Next, you analyze your current security measures and assess the level of risks to the threats you uncovered. Risk analysis is complete.
The risk management plan includes assigning responsibilities to staff to improve security measures, following up to make sure the actions are completed, and documenting everything you do.
As you can see, the steps are simple and easy enough to understand. Still, there aren’t any detailed, clear directions available in the HIPAA rules, so you can be certain that you performed the risk analysis to meet HIPAA requirements.
That confusing gray area is where The HIPAA E-Tool® comes in. The HIPAA E-Tool® is a comprehensive compliance program that includes all policies, procedures, and forms needed to comply with HIPAA.
The HIPAA E-Tool® contains an interactive risk analysis - risk management module that contains all the questions you need to answer and allows you to enter and save all of your data in one place - it completely eliminates the guesswork in risk analysis. Once you enter data in the first inventory section, the tool automatically enters all identified risks in the next section where action step assignments are made and the risk management plan is documented.
Once completed, the risk analysis can be archived in The HIPAA E-Tool®, and when the next risk analysis is done the following year, all the data is there, requiring only modifications and tweaking, instead of starting from scratch.
Organizations that create, receive, maintain and transmit PHI at more than one location must perform risk analysis and risk management at each location because the unique characteristics at each location inevitably give rise to different risks.
Risk management is not "one size fits all". Differences in operation, equipment, location and staffing necessarily indicate that every organization has specific, unique risks to its PHI. The solutions are also specific and unique. Everything comes back to the basic first step of a full HIPAA risk analysis. When done correctly, the analysis provides the action steps required for risk management throughout the year.
While every organization should have a HIPAA compliance officer primarily responsible for HIPAA, everyone in the organization who handles PHI helps maintain compliance. Risk management is a team effort including staff from all levels of the organization. Each action step should be assigned to a specific person who is qualified to complete the task.
Often the IT department (or for smaller organizations, the IT consultant) will have a substantial role in helping monitor the ongoing requirements for maintaining the security and integrity of all patient data in electronic format. The HIPAA compliance officer will work hand in hand with IT for the best outcomes.
Choices about how to manage risks will be unique to the organization. It could involve locking file cabinets in a room where only certain employees have access, revising the password management system, an update of the anti-virus and anti-malware software or adding cybersecurity awareness training for staff. It might include all of those, or a different list, depending on your unique circumstances.
A HIPAA risk management plan is a living document that will change as circumstances and risks change. For example, if an organization adds new staff, buys new equipment or opens a new location, the risk analysis should be modified to include the new circumstances. If a breach occurs, or a cybersecurity incident happens, the risk analysis should be updated.
Even with a risk management plan in place there are threats and vulnerabilities that could surface and cause the loss of data. The purpose of HIPAA compliance is to reduce and manage risks, but not every risk is preventable.
Luckily, organizations do not have to stretch themselves thin to meet the requirements of HIPAA. The HIPAA E-Tool® brings confidence and convenience to organizations that understand the importance of complying with HIPAA. Every rule, every requirement and every question about HIPAA is explained and answered in plain language.
Risk analysis and risk management do not have to be stressful or tedious. The level of detail and thoroughness needed to have confidence in HIPAA risk management isn’t achieved easily by organizations. The security of patients’ protected health information is more important than anything, and companies want to make sure they protect it as fiercely as possible.
The only problem is, unforeseen circumstances can cause a HIPAA violation that impacts you in the worst ways.
Hackers, cybercriminals, and other nefarious characters spend a lot of time attempting to breach sensitive patient information. If your risk management plan is not up to par, your organization could be the victim of one of these attacks.
Even though you did everything right and monitored risks as best you could, a breach is still your responsibility. The beauty of The HIPAA E-Tool is that it's easy to use with no experience required and available on any device that can be connected to the internet.
The software automatically updates whenever a HIPAA regulation changes, ensuring your company will never have a violation because you weren’t up to date. Request a demo of The HIPAA E-Tool® today and never have to worry about having the wrong response to a HIPAA question again.
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104
8820 Ladue Road Suite 200
St. Louis, MO 63124