Low-Hanging Fruit for Regulators: Failure to Conduct Comprehensive Risk Analysis Frequently Featured in HIPAA Enforcement
The Health Insurance Portability and Accountability Act of 1996, as amended, (HIPAA) includes numerous requirements that can leave a covered entity or business associate paying large sums for non-compliance (not to mention reputational damage). Moreover, with the federal Department of Health and Human Services audits and a rash of HIPAA enforcement actions over the last several years by both state and federal regulators, it’s clear that scrutiny over HIPAA compliance is not going away. Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), which is responsible for enforcing HIPAA, confirmed this in March when he stated there would be no slowdown in HIPAA enforcement, and that OCR was looking for a “big, juicy, egregious” HIPAA breach for enforcement. Despite the regulatory complexity and increased scrutiny, however, recent reports and enforcement actions suggest that many organizations are not taking certain fundamental steps for HIPAA compliance. One of the most commonly-cited shortcomings is the failure to undertake a comprehensive HIPAA security risk analysis (also referred to as a “risk assessment”).
HIPAA Risk Analysis Requirement
The HIPAA Security Rule, which applies to covered entities and business associates, requires those organizations to undertake a comprehensive, accurate, and thorough assessment of the potential risks and vulnerabilities to electronic protected heath information (ePHI). This risk analysis is the first step in complying with the HIPAA Security Rule. Not only is the risk analysis itself required for HIPAA compliance, it is also necessary for assessing whether certain “addressable” controls under the Security Rule are “reasonable and appropriate.”
From prior experience, OCR at least requests a copy of an entity’s current risk analysis when undertaking an investigation or requesting documentation from covered organizations, and may request copies of risk analyses dating back multiple years in some cases. Representatives from OCR have stated during presentations that they often receive audit reports or gap assessments in response to these requests, and have indicated that these ancillary documents are not sufficient to meet the risk analysis requirement.
Recent guidance from OCR highlights the distinction between a risk analysis and a gap analysis. Per this guidance, a risk analysis is a comprehensive assessment of an entity’s enterprise to identify ePHI and the risks and vulnerabilities to the ePHI. A gap analysis, on the other hand, is a much narrower examination of whether certain controls or safeguards required by the Security Rule are implemented. Despite the apparent similarities, the OCR guidance indicates that a gap analysis is not generally sufficient to meet the risk assessment requirements because it does not consider all of the PHI an entity creates, receives, maintains, or transmits.
HIPAA Risk Analysis in Reports and Enforcement
In September 2017, a representative from OCR presented findings from OCR’s HIPAA audits. The presentation noted a number of common deficiencies in HIPAA compliance programs, but one of the most glaring findings was that 83% of covered entities audited, or 55 out of 63, had what OCR deemed to be an inadequate risk analysis. Not only is OCR reporting on the lack of adequate HIPAA risk analyses, it seems to be doing something about it.
Between February 2017 and February 2018, OCR entered five multi-million dollar settlements, among other smaller settlements, with organizations over alleged violations of HIPAA. In three of those settlements (Fresenius Medical Care North America, $3.5 million; CardioNet, $2.5 million; and 21st Century Oncology, $2.3 million), OCR specifically noted that the organization failed to conduct an accurate and thorough risk analysis as required by HIPAA. To be sure, each of these entities had also committed other HIPAA violations that contributed to large settlement amounts. However, the fact that OCR has repeatedly referenced the lack of a HIPAA risk analysis in enforcement is significant, and signals the agency’s attention to the risk analysis as a fundamental component of an entity’s compliance program. State regulators have also begun to pick up on this trend.
Some state regulators have recently ventured into HIPAA enforcement, and also seem to be keying in to risk analysis deficiencies. On April 4, 2018, the New Jersey Attorney General announced a nearly $418,000 settlement with Virtua Medical Group, which included allegations that, among other things, Virtua failed to conduct an accurate and thorough HIPAA risk analysis. On March 6, 2018, the New York Attorney General announced HIPAA enforcement against EmblemHealth, where it not only imposed a $575,000 penalty, but also obligated Emblem Health to implement a Corrective Action Plan requiring it to, among other things, conduct a comprehensive assessment of security risks. These actions illustrate not only that state regulators are interested in HIPAA, but also that they are particularly aware of the risk analysis requirement.
The apparent scrutiny and regulator emphasis on the need for a comprehensive HIPAA risk analysis should remind HIPAA covered entities and business associates of the importance of this basic step in HIPAA compliance. All HIPAA covered entities and business associates should conduct an initial risk analysis and update that risk analysis on an on-going basis, particularly when new technologies will be integrated or alter the ePHI environment and when planning new operations, services, or functions that may impact the potential risks to ePHI.
Keep in mind that there are a number of methods for conducting a HIPAA risk analysis; it is not a one-size-fits-all exercise. For instance, there are some benefits to at least periodically engaging a third party to conduct a risk analysis, to provide an independent evaluation of threats in your environment and bring insight about current risks and trends from across industry sectors. However, these analyses do not have to be high-cost projects, and can be conducted using internal resources. The more important factors are that the risk analysis: (1) is on-going and comprehensive, covering anywhere you have ePHI; (2) identifies potential threats and vulnerabilities to ePHI; (3) evaluates the likelihood and potential impact for each threat and documents assigned risk levels considering known vulnerabilities and mitigating controls in place; and (4) is used to develop a risk management plan documenting additional controls that will be implemented to help further reduce risk. If you have questions about your HIPAA compliance program or conducting a HIPAA risk analysis (or updating your existing risk analysis), please contact us.