Webinar 9.26.17: What OCR Expects in Your HIPAA Risk Analysis: A Conversation with Former OCR Investigator, Deepali Doddi
Q/A Blog Series, Post 1
Over 400 healthcare professionals attended Clearwater's webinar this week, "What OCR Expects in Your HIPAA Risk Analysis."
CEO Bob Chaput and special guest, former OCR Investigator, Deepali Doddi, gave attendees an inside perspective on why organizations are failing to meet the OCR's requirements for a comprehensive Risk Analysis. Chaput and Doddi also shared advice on how to conduct an accurate and comprehensive HIPAA Risk Analysis that includes all information assets in all lines of business in all facilities and in all locations.
Webinar attendees asked many questions during the webinar, and most were able to be answered during the live event. To provide easy access to the webinar's Q/A and make sure all unanswered questions receive a response, we will be posting Q/A blogs from the webinar in an expansion of our Risk Analysis Blog Series. Post 1 is below.
1. Q: So should companies prioritize HITECH certification or HIPAA certifications?... Since HITECH has more meat to it...
A: There is no certification recognized by OCR (see the FAQ and answer below with hyperlink to the HHS website) and there is no requirement to do a HITECH evaluation. There is, however, a requirement to do a Non-Technical Evaluation in the Security Rule § 164.308 (a) (8) Standard: Evaluation which states:
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
A Non-Technical Evaluation, in essence, is a compliance gap assessment. Such a compliance assessment would involve walking through every standard and implementation specification in the Security Rule and reviewing policies and procedures in addition to evidence (documentation) of practice and enforcement – that should be your priority.
FAQ from the HHS Website: Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.
It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
2. Q: Is the risk assessment function generally performed by a compliance department or the Information Security Department?
A: Certain various members of the Information Security Department will be necessary, but due to the extent to which PHI is spread across an organization, we would recommend a cross-functional team be involved in a comprehensive risk analysis to ensure that all assets containing ePHI are identified. Team members may include those in legal, risk management, finance, compliance, IT, clinical engineering, security, quality, and operations.
3. Q: Is it required that Risk Assessment/Analysis be performed in line with NIST or any other standard/framework?
A: OCR encourages following NIST but does not require it...in the Final Guidance OCR cites 9 essential elements of a risk analysis.. they are:
- Scope of the Analysis - includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).)
- Data Collection - identify and document where the e-PHI is stored, received, maintained or transmitted. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).
- Identify and Document Potential Threats and Vulnerabilities - identify and document reasonably anticipated threats to e-PHI. (See45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii)) and identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
- Assess Current Security Measures - assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).
- Determine the Likelihood of Threat Occurrence - take into account the probability of potential r to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) Document all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)
- Determine the Potential Impact of Threat Occurrence – consider the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) Document all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)
- Determine the Level of Risk - assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2),164.308(a) (1)(ii)(A), and 164.316(b)(1).)
- Finalize Documentation - the risk analysis documentation is adirect input to the risk management process.
- Periodic Review and Updates to the Risk Assessment
4. Q: How do attendees receive Continuing Education Credits?
A: You may use the attendance certificate received in the webinar follow up email to apply for CE credits. Please let us know if you did not receive your certificate of attendance.
5. Comment from attendee: The biggest problem we face is that OCR and ONC need to coordinate Risk Assessment and do away with checklists that are promulgated by ONC. CEs take those and use them as Risk Assessment despite the warning at the top indicating that these checklists are NOT Risk Assessments.
A: We agree and have made that suggestion to OCR.
6. Q: When you say Risk Analysis here, what definition are you using?
A: As defined in the Security Rule §164.308(a)(1)(ii)(A)
"Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
About Deepali Doddi and IceMiller, LLP
Deepali Doddi, J.D., CIPP/US
Associate, IceMiller LLP & Former Investigator, OCR,
· Attorney in Ice Miller’s Data Security and Privacy practice group
· HIPAA Investigator in HHS OCR’s Chicago regional office for 5+ years
· Served as lead investigator in several OCR HIPAA enforcement settlements
· Member: IAPP, AHLA, HCCA
· University of Notre Dame Law School (2010) B.A., Northwestern University (2007)