The HIPAA Security Rule requires that all Covered Entities and Business Associates conduct a thorough Risk Assessment of their businesses. This was first introduced in the Privacy Rule but was later expanded into the Security Rule. Under the Final Omnibus Rule in 2013, Business Associates were added. In addition, the amount an entity can be fined was increased for those that had not performed a HIPAA Risk Assessment. In this week’s case study, we see that one entity that failed to perform a HIPAA Risk Assessment. This led to several breaches under HIPAA law that resulted in a fine of $1,550,000.
North Memorial Health Care of Minnesota (NMHC) reported a breach on September 27, 2011. The breach was a result of a laptop that was stolen from a Business Associate, Accretive Health, Inc. (AH), of NMHC. The laptop had been stolen from the car of an employee of AH and it contained ePHI belonging to NMHC. The laptop was not encrypted and contained information on 9,497 individuals.
AH provided various payment and healthcare-related functions for NMHC. However, NMHC had not received a Business Associate Agreement from AH when service started.
OCR began an investigation in the breach and found that NMHC had failed to perform a HIPAA Risk Assessment of its organization. Because of this, NMHC wasn’t able to identify the areas in which they were exposed to breaches of their ePHI. Since no Risk Assessment had been performed, nothing was done to address any vulnerabilities.
A HIPAA would also have identified the need to obtain Business Associate Agreements with all third parties who had access to the entity’s ePHI. This also requires that an entity perform due diligence on all third parties to ensure that they will take proper care of the that entity’s ePHI. As this was not done, due care wasn’t taken to ensure that AH had proper controls in place to protect any ePHI in its care.
What was the result?
OCR fined NMHC $1,550,000 as a result of the breach. In addition, they were required to initiate a Corrective Action Plan for 2 years. The purpose of the Corrective Action Plan is to ensure that an entity institutes proper policies and procedures, performs a Risk Assessment, manages any risk that is identified and provides training to staff.
On March 16, 2017, OCR released a press statement about the incident. You can read that here.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity. Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Why is a HIPAA Risk Assessment so important?
A HIPAA Risk Assessment is meant to be the starting point for the compliance of your practice. A Risk Assessment will identify the following:
- areas where your organization’s PHI may be at risk
- what your likely threats are
- your current protective measures
- the areas where you need to improve
The Risk Assessment will create a road map for your practice to achieve HIPAA compliance. It is the starting point, you can’t be compliant without a Risk Assessment.
The most important point to remember is that after you complete the assessment, you must remediate the areas it identified. If you stop here with a report that shows potential threats to your PHI but don’t address them, you are in jeopardy of willful neglect.
Once all of the items your initial assessment identified have been addressed, perform a second Risk Assessment to document that all areas have been resolved and documented.
What goes into a HIPAA Risk Assessment?
One of the points of confusion for entities that are required to perform a Risk Assessment is that there HHS has released no specific guidelines. The main reason for this is that all Covered Entities and Business Associates are not the same. They vary in size and complexity. A Risk Assessment template for a hospital wouldn’t be applicable for a small practice or Business Associate.
What HHS does provide is the ultimate goal of what should be achieved by a Risk Assessment. A Risk Assessment should identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of the PHI that an organization creates, receives, maintains or transmits.
One final point that is important to remember. Any time something changes on your network, such as a new server, new computers, new software, you must perform a new HIPAA Risk Assessment to ensure that the changes didn’t introduce new vulnerabilities. Keep all copies of your Risk Assessments in your HIPAA documentation.
We’ve written an in-depth report on what should be included in your Risk Assessment. It details the areas that should be addressed based on guidelines supplied by HHS. If you would like to read that, please head over here.
For a laugh, check out our cartoon on HIPAA Risk Assessments here.