One thing is very clear—most healthcare organizations DO make sure that their HIPAA security checklists are taken care of. BUT many are using the WRONG evaluation to do so.
When we work with healthcare organizations—from private practices, non-profits, even larger health systems, most compliance officers confidently show a report card with a whole bunch of green check boxes next to individual security items. They confidently tell me that they’ve already passed their HIPAA risk assessment for the year.
The problem is in the details: Risk Assessment vs Risk Analysis!
Most CEOs and compliance officers have grown accustomed to mistake what type of assessment their facility really needs in order to be in compliance with the HIPAA Security Rule. We all know that best practices is to perform the assessment once a year, but the problem we are seeing time and time again is that the wrong type of assessment has been done to fulfill the Security requirements outlined in HIPAA.
Now don’t get me wrong—I am NOT the HIPAA police and if you talk to an investigator at the Office of Civil Rights (OCR), agents are not trying to fine you for doing anything wrong, especially when you are trying your hardest to get all of your ducks in a row.
The problem OCR sees more often than not is facilities falling for cyberattacks or data breaches that really haven’t had a real HIPAA risk analysis of their facility.
In HIPAA there is a difference between “risk analysis” and “risk assessment”.
Under the HIPAA Security Rule, a “risk analysis” requires you to conduct an “accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability” of protected health information (PHI). This risk analysis is required to comply with HIPAA.
The goal of this risk analysis?
To identify all of the weaknesses in your systems. This analysis will help guide the development of your security policies and procedures.
In contrast, the risk assessment shows up solely within the definition of a breach in the Breach Notification Rule.
A risk assessment is what you would conduct in order to determine there was a low probability that PHI had been compromised. This will inform regulators (like the Department of Health and Human Services) whether a breach notification is necessary.
This risk assessment will consist of at least the following four elements:
- The nature and extent of protected health information involved
- The identity of unauthorized person who accessed the information
- Whether PHI was viewed or taken
- The extent to which the risk involved has been mitigated since the incident
Bottom Line: HIPAA risk assessments are meant for use exclusively to evaluate whether PHI might be compromised in a breach. It does NOT do a good job at making sure your organization has reduced its risks from a security stand point.
From the investigators at OCR that we have spoken to this is a huge sticking point when evaluating new cybersecurity incidents.
If you are concerned with eliminating your security risks and identifying gaps in your security—whether they are process-based, people-based, or technology-related, a HIPAA risk assessment is not the place to find them.
I want to make sure you know the difference between these two nuanced terms to make sure you are getting what you are paying for when asking for a risk assessment. One of the sure fire ways to know if a compliance company is not doing a great job at keeping your facility secure is by handing you back a report with all green check boxes.
Cyberattacks are increasingly targeting healthcare in part because HIPAA risk assessments are giving organizations like yours a false sense of security, even though healthcare cybersecurity far lags security awareness and preparedness in other industries.