The Annual Safeguarding Health Information: Building Assurance through HIPAA Security Hosted by the HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) took place last week in DC. In this post I will discuss key takeaways:
- Risk analysis continues to be a main focus of OCR enforcement
- OCR expects larger covered entities and their business associates to know the difference between comprehensive Risk Analyses vs. the narrow examination of Gap Analyses
- The OCR’s SRA 3.0 risk analysis software is very basic and only intended for small providers
- More and more healthcare providers are realizing that they need a robust software solution to conduct their risk analysis to meet OCR’s expectations, and manage today’s threat landscape
Director Severino Re-Affirms His Enforcement Mindset
Two questions on everyone’s mind at the annual Safeguarding HIPAA Summit were: What will OCRs’ attitude be towards enforcement, and what areas of enforcement will it focus on in the coming year? OCR Director, Roger Severino stated during his keynote address that he still maintains an “enforcement mindset.” While his ultimate goal is to achieve a reduction in enforcement actions, Director Severino said, “case numbers are still going up” and healthcare organizations are “not doing the basics.” Severino stated that until this mode of operation changes, OCR enforcement will continue to be a top priority, and, as stated last year, OCR will continue to seek out “big, juicy, egregious cases.”
Risk Analysis Continues to be of Focus for OCR Enforcement
It was not surprising that Director Severino cited the recent $16M Anthem settlement case—the largest OCR enforcement action in history—as an example of a case where a large organization failed to do the basics. Director Severino specifically noted Anthem’s failure to conduct an enterprise risk analysis as one of the deficiencies which led to OCR’s enforcement action. Based on his comments, a takeaway was that risk analysis will continue to be an area of focus for OCR. OCR’s focus on risk analysis was a consistent message, reinforced in later presentations by OCR representatives.
Failure to Understand What’s Required in a Risk Analysis is Not an Excuse
Performing risk analyses for hundreds of healthcare organizations, we have learned that many healthcare providers simply do not understand (or want to understand) how to perform a risk analysis or what’s required to meet OCR’s guidelines. During the conference, representatives from OCR referenced available documentation, which explains those requirements. For instance, OCR has published several guidance documents, which are available on the its web site the risk analysis process is also explained in detail in NIST SP-800 Guide for Conducting Risk Assessments.
Limiting Risk Analysis to Only the EHR is Not Acceptable
Another takeaway focuses on the scope of risk analysis: OCR has stated repeatedly that the risk analysis must be information asset based and that its scope must be enterprise wide. Attendees were reminded that a risk analysis it is not a checklist and that large organizations will be held to a higher standard than smaller organizations.
In our experience, and much to our dismay, we have observed many healthcare organizations limiting their risk analysis to only their EHR system rather than including all of their systems and their components, which create, maintain, transmit, or receive ePHI. Our strong advice to our clients has always been that limiting the scope of the risk analysis to the EHR puts their organization at risk from a security perspective and also from a compliance perspective. Clearwater has been engaged in over 30 OCR cases, and one thing we are sure about: If there is a breach of a system containing ePHI that has not been included in your risk analysis, you are taking your chances with OCR enforcement.
After his presentation, Director Severino was asked what he would say to a healthcare provider who felt that it only needed to include EHR systems in its risk analysis. His responded “the medium is not the point. Any assets, including physical assets that maintain ePHI, must be included in the risk analysis.”
Stay tuned for Part II of Key Takeaways From the Safeguarding HIPAA Summit where I will discuss: The SRA 3.0 Tool, How Healthcare Providers Are Embracing Risk Management Software, and final insights from the Summit
More in this series
Clearwater Enterprise Cyber Risk Management IRM|Analysis™
Intuitive software for completing a formal, NIST-based, OCR-quality security risk analysis and establishing a continual Risk Management Program of Framing, Assessing, Responding and Monitoring Learn more