HIPAA Risk Analysis Tip – Part 1 - Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez
We received almost 100 questions in our May 3rd web event entitled "WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez". We are breaking up the questions and providing the answers in this blog post series "HIPAA Risk Analysis Tips".
- How does a risk analysis process that is based on questions covering the HIPAA framework meet the 9 point criteria for risk analysis?
Answer: If by HIPAA framework it is meant the five areas, 22 standards and 53 implementation specifications that comprise the HIPAA Security Rule, then a risk analysis process based on that framework does not meet the requirements set forth in the “nine essential elements” in OCR-issued“Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. The wording in the question sounds more like a separate assessment, the non-technical security evaluation, in the HIPAA Security Rule found at 45 CFR §164.308(a)(8). You may also wish to review this blog post: “HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis”.
- When we do our risk assessment, and determine (in our opinion) that a particular threat is not one that should be "reasonably" considered (and acted upon) ... this is by definition a subjective judgement. How can we have confidence that OCR would agree with our assessment, in the event of enforcement action?
Answer: I would suggest that if a formal, documented risk analysis process was followed such as that found in OCR-issued“Guidance on Risk Analysis Requirements under the HIPAA Security Rule” and NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments, OCR would agree with your judgment. In following such a process, you would have inventoried all information assets and would have established your reasonably anticipated threats, vulnerabilities along with your definitions of likelihood and impact. You would have also established your risk appetite. All of this “framing” work would be the basis of your informed decision-making. Done thoroughly, it would likely be defensible.
- Perhaps it's in the full resolution agreements...but can you give some examples of the types of information assets that organizations tend to overlook when doing their risk assessments?
Answer: Great question!… if you navigate to this area of our web site called “What is an Information Asset?”, you will find lots of information about information assets, including FAQs, the last of which is “What are some examples of often-missed information assets?”. Clicking on that FAQ that link will provide a list of 20!
- Is your IRM tool applicable to the Health Plan setting? How does the software work for Health Plan payers?
Answer: Yes; IRM|Analysis™ is agnostic of the type of sensitive data being risk-analyzed. While our focus is healthcare, including all types of Covered Entities and Business Associates, it can be used outside of healthcare. And, yes, we have many health plan customers. You may view a demo of the software here.
- Do we have any entities who are "doing it right?" It would be helpful to see good examples.
Answer: We cannot speak to what other service providers are doing but we can provide Clearwater case studies and testimonials from customers who have done it right and have passed muster with OCR in audits and investigations.
- If you are an employer offering employees a self-insured medical plan through an association (i.e. - no access to PHI), is your organization required to conduct an SRA and fully comply with Privacy laws if you are not otherwise a covered entity under HIPAA?
Answer: We would suggest a complete review with your outside counsel. A self-insured health plan is, by definition, a HIPAA Covered Entity. Please reference this HHS website FAQ: “As an employer, I sponsor a group health plan for my employees. Am I a covered entity under HIPAA?” Assuming a Covered Entity, I would recommend following the process and, if appropriate, documenting that you have no information assets that create, receive, maintain or transmit ePHI. Assuming you have a TPA and other service providers operating as Business Associates, the organization has HIPAA Security Rule and HIPAA Privacy Rule Business Associate management compliance obligations.
- Why wouldn't the frequency be 'on-going'? Example-The Risk Management Committee identifies new equipment at the quarterly meeting. Should a RA be performed at that time and not wait to 4th qtr. every year?
Answer: Perfect! Yes! Information risk management is an ongoing process. I would recommend performing the risk analysis when any significant operational, technological, organizational or environmental changes occur. The risk analysis should be updated (as should the risk response plan) whenever there are Assets change, threat sources change, threat events change, available controls change, etc. etc. The new equipment is just one example of assets Your question underscores the importance of establishing, implementing and maturing an information risk management program. That is, treating it as a journey and not a destination!
- You have spent a lot of time discussing the lack of a thorough SRA, but what you haven't touched on is the reason why. Most CE's/BA's do not feel any threat of an audit, other than the random audits (400), desk audits, these are a drop in the bucket for the amount of CE/BA's actually out there.
Answer: Point taken! Arguably, there are 10+ million organizations comprising the healthcare ecosystem when one considers all the covered entities, business associates, sub-business associates and hybrid entities. One does not need to be a gambler to take that bet. The primary reasons for OCR investigations that result in Resolution Agreements / Corrective Action Plans are breaches and complaints. Still, OCR has limited staff and resources to even keep up. Like most business matters, this one is a business risk management matter. It often takes a significant event that has financial, legal, professional liability, reputational or other Board-level repercussions to motivate action to perform a comprehensive SRA.
- The resources required to complete an adequate risk analysis must be recognized---the cost related to staff hours, consultants (if used), updates to IT to meet the OCR, etc. requirements, administrative oversight, etc.--it is vast and expensive to both large and small organizations.
Answer: As above, Point Taken! It’s a matter of business exposure/risk vis-à-vis other potentially more strategic initiatives and risks. We’re seeing organizations’/executives’ perspective evolve from what was perceived to be a “compliance issue” to an “information security issue” to a “patient safety issue”. While significant at the onset, it’s not unlike other initiatives that require a bubble of expenditure in the initial years that tapers into an operational maintenance. Initial program stand-up can often be capitalized which helps with the P&L impact.
- Can you address how the upcoming NIST 800.53 Rev 5 impact the items that must be included in the risk assessment. Now that 'federal' is being removed, will 800.53 Rev 5 be considered best practice for all organizations?
Answer: Our view is that control sets are not best practices in and of themselves. Controls are one factor in the “risk equation” and like assets, threat sources, threat events, risk appetite, available controls will change. Therefore, as controls change and are better articulated, organizations must be adept at initially establishing a program that transcends time and all the factors in the “risk equation”. The fundamental risk assessment process will remain the same.
Stay tuned for Part 2 of the Questions and Answers from the May 3rd web event entitled "WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez"
- Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule".
- Learn the definition of an information asset.
- View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
- Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
- Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.