How to avoid HIPAA penalties with a Security Risk Assessment
A Security Risk Assessment could save your dental practice from major repercussions and financial penalties.
Could your group or practice survive over one million dollars in fines and penalties, loss of patients, credit monitoring costs, lost productivity, civil and criminal investigations and damage to your reputation? Of course not. But that’s the new reality; as our industry faces increasingly frequent breaches of Patient Protected Health Information (PHI), software products with questionable data protection schemes and patient data that has become a high value target for those seeking to gain financially.
Along with new HIPAA rules outlining greater penalties and accountability, the repercussions from patient data breaches are difficult, if not impossible, to recover from. No group or practice, no matter how large or small, is immune from threats. Data breaches are crippling both from a financial and PR perspective, considering the vast amount of sensitive information consumers trust them with. And dental practices and groups are supposed to be the pinnacle of fidelity when it comes to sensitive patient information.
So, the question in this scary world of patient data breaches and thefts is if you’ve taken all the designated precautions possible to prevent this from ever happening. In the wake of an actual breach, the first question practices and groups are asked is whether they can provide a full accounting of all their protected health information, including where it is stored and who has access to it, and if they have followed the administrative, physical and technical safeguards laid out by federal regulation to protect their PHI. Or, has your group or practice basically ignored best practices for safeguarding the information? Based on your answer to these questions you could either receive unfavorable HIPAA rulings or potentially mitigate your HIPAA risk. The Office of Civil Rights (OCR) under Health and Human Services, the entity responsible for enforcing HIPAA, when researching a HIPAA violation is looking for a “Culture of Compliance” within the group or practice; i.e have you done everything possible to try to prevent the breach or violation?
Security risk assessment as insurance
The best way to assure the OCR that you are trying to follow the regulations is through the use of a Security Risk Assessment (SRA). The SRA is a tool to help prevent data breaches and strengthen security within practices and groups that has been around for a while and has been employed by numerous groups and practices
But these days most healthcare organizations are aware that regular Security Risk Assessments (SRAs) are no longer optional; instead, they are required and stringently enforced. HIPAA Privacy and Security Rules as outlined in 45CFR 164.398 (a)(1) require organizations that handle health information to routinely review the administrative, physical and technical safeguards they have in place to protect the security of patient health information (PHI). SRAs are also a mandatory requirement for providers seeking technology subsidies and payments through the Federal EHR Incentive Program, commonly known as the Meaningful Use Program.
Although conducting regular SRAs may seem to be a hassle, the cost of failing to conduct them and remediate risks is much worse. Penalties can include millions of dollars in fines, loss of patients, credit-monitoring costs, lost productivity, civil and criminal investigations and damage to institutional and professional reputations. In many cases the repercussions from patient data breaches are difficult, if not impossible, to recover from.
SRAs are designed to help protect against data breaches or loss. By conducting thorough assessments, healthcare providers and business associates can uncover potential weaknesses in their security policies, processes and systems, and remedy them before adverse security events occur. And the regulations specify that risk analysis should be ongoing as various internal factors change and threats evolve.
What is a Security Risk Assessment?
SRA areas of focus should include:
• Review of PHI inventory to determine where electronic and other data is located
• Examination of the safeguards required by rule 45CFR 164.398 (a)(1) — administrative, physical and technical, including the latest Omnibus rules.
• Assessment of current operations for HIPAA compliance, including safeguards in place, as well as vulnerabilities and specific threats to safeguards
• Evaluation of existing security policies and procedures
• An applications criticality review
• A threat analysis that identified external threats
• A vulnerabilities analysis that identified internal issues
• A risk remediation roadmap
SRA’s should also be based on HITRUST standards and the Common Security Framework. Domains should include:
Information Protection, Endpoint Protection, Portable Media Security, Mobile Device Security, Wireless Security, Configuration Management, Vulnerability Management, Network Protection, Transmission Protection, Password Management, Access Control, Audit Logging and Monitoring, Education, Training and Awareness, Third Party and Business Partner Assurance, Incident Management, Business Continuity & Disaster Recovery, Risk Management, Physical & Environmental Security, Data Protection & Privacy
Should you use a consultant?
If you possess the skills in-house to address all the SRA areas and domains outlined above then certainly you can attempt to provide the protections and processes called for in the HIPAA regulations. But my experience shows me that for the most part IT consultants or even in-house IT staff typically does not have the expertise needed to do a proper in depth Security Risk Assessment. This is a highly specialized area and I highly recommend using a third-party partner with all the skills and experience needed to perform this critical process.
So, if you go the route of looking for a partner to help you through this process there are a few basics to look for off the bat. Your group or practice has to be HIPAA compliant and your SRA partner should be, too. The partner should protect patient records with the utmost care and be assessed by the same rules. Find a partner that does not merely assess your privacy and security capabilities, but also has the skills to amplify them. Look for a partner with certifications from the International Association of Privacy Professionals such as CIPP/US, CIPT and CIPM—their privacy expertise is unparalleled. Look for providers who live the daily rigor of proactive security operations with CISSP-certified personnel.
Next, dig into vendors’ processes and procedures. In addition to inquiring about certifications, ensure that your third-party partner is healthcare-specific and keenly focused on healthcare compliance. The partner should know OCR audit protocols. Check to see if clients who have been audited have met or exceeded their audit requirements.
Your SRA partner should work with leading healthcare law firms in support of clients’ breach notifications, remediation strategies and forensic discovery. Ask if they have HIPAA security and privacy subject matter expertise for both the primary entity and its business associates.
Make sure the partner acts as an official business associate, subject to the same level of Security and Privacy Rule requirements of a covered entity. As a business associate, the partner must maintain the highest degree of HIPAA compliance and knowledge. It should be able to unequivocally deliver an SRA that meets all HIPAA and Meaningful Use requirements.
And having personally negotiated numerous IT and software contracts over the years, I recommend that your contract assures that your SRA vendor offers exemplary processes, deliverables and follow-on remediation options.
The bottom line
When it comes to HIPAA compliance and your patient data security you can choose to go along with your head in the sand, doing the minimum to protect your PHI, and hope that you don’t experience a major breach. But do you really want to take a chance with the future of your business in terms of penalties and fines, credit monitoring costs, lost productivity, civil and criminal investigations, damage to your reputation and loss of patients? As mentioned, one of the first things that is assessed by the authorities when there is a HIPAA breach is if you at the very least followed the recommended federal guidelines outlined in the HIPAA Security Rule. So, the best way to look at investing in a Security Risk Assessment is that it’s one of the best insurance policies that you can purchase for your group or practice.
For more information on how to minimize your HIPAA exposure using Security Risk Assessments please contact: Mike Uretz at firstname.lastname@example.org or 425-434-7102.