The HHS Office for Civil Rights announced another monetary penalty and settlement for the failure of an entity to fully or competently comply with HIPAA requirements. More particularly, the entity in question offers yet another example of the absence of a risk analysis.
The new settlement, impacting Medical Informatics Engineering, Inc. (“MIE”) arose after the discovery of unauthorized access to its servers. The unauthorized access was able to impact over three million records because MIE is an electronic medical record vendor. As an EMR vendor, MIE stored a significant volume of data and information on behalf of its clients. The compromise also persisted for just shy of three weeks, suggesting a potentially deficient monitoring process. All of this activity netted a settlement of (only?) $100,000.
Turning to the findings from OCR’s investigation, in a break for previous settlement agreements, only two deficiencies were cited. The two deficiencies were (1) impermissibly disclosing PHI and (2) not conducting an accurate and thorough risk analysis. The first deficiency can arguably be dismissed since any breach would necessarily result in the impermissible disclosure of PHI. Accordingly, the settlement could be viewed as being based solely upon the missing risk analysis.
With the focus on the risk analysis, which is really a common thread throughout all of OCR’s settlements, it is a good time to provide a refresher on why the risk analysis is important. Aside from being a required element for compliance with the HIPAA Security Rule, the risk analysis enables development and implementation of the rest of the policies and procedures required pursuant to the Security Rule.
First, it is helpful to remember what the risk analysis is. The Security Rule identifies the following requirement: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 45 C.F.R. § 164. 308(a)(1)(ii)(A). An accurate and thorough assessment necessarily requires assessing all aspects of an organization and its operations. All types of assets and systems should be identified, vetted, reviewed and more. Ultimately, an organization will want to find anywhere that electronic PHI could be stored, used, transmitted, or otherwise used or disclosed. Further, if another system could access the main system or interact with a system using PHI, then that should be swept in as well. Practically, no piece of an organization should be excluded from consideration.
The next piece is to assess potential risks and vulnerabilities. The risks and vulnerabilities can be broken down by type, likelihood of occurrence, and impact if the event were to occur. The stratification of risk is where the flexibility, scalability, and individuality of the Security Rule can be seen. The results of each organization’s risk analysis will be different, which means that each organization will implement slightly different security policies. That is not only acceptable but desired because the policies and procedures need to fit the unique operations of each organization.
As suggested, once the results of the risk analysis are compiled and finalized, the identification of risks and vulnerabilities will inform how to implement the remainder of the elements of the Security Rule.
The next question is how frequently a risk analysis should occur. From one perspective, it can and should be done on a rolling basis because vulnerabilities and threats are constantly shifting. A major risk from today can be replaced by a new one tomorrow. However, if threats are not continually considered and assessed, protections could remain static and become insufficient. While a rolling analysis may be necessary and result from good, vigilant security practices, that rolling assessment may not produce a report that could be expected to demonstrate compliance. From that perspective, a full comprehensive risk analysis will often occur on an annual basis.
Who can or should conduct the risk analysis? The answer to that question will depend upon the sophistication, time, and resources of each organization. A risk analysis tool is available through the Office for the National Coordinator of Health IT, which tool is helpful if taken seriously. Even for organizations with strong internal capabilities, it can still be advisable to obtain an independent analysis. Bringing in an independent party can help to overcome potential blind spots as it is only natural to see a protection or measure as being where expected, even if it is not in place. The balance of multiple parties reviewing operations can be powerful.
Before another HIPAA based penalty is announced, every organization should take the time to ensure that it has conducted and regularly conducts a risk analysis. The analysis not only helps to implement strong security policies, but demonstrates a commitment to securing the sensitive data entrusted to the organization.