Security risk analysis and risk management were among the most acute compliance problems found by the U.S. Department of Health and Human Services (HHS) in its recent desk audits of covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
In 2016 and 2017, HHS’ Office for Civil Rights (OCR) conducted “desk audits” of 166 covered entities and 41 business associates. The audits focused on selected provisions of HIPAA’s privacy, security, and breach notification rules. After reviewing the documentation obtained from these organizations, OCR gave each a score of 1 to 5, with 1 indicating full compliance and 5 indicating no “serious attempt” to comply.
Of 63 covered entities and 41 business associates audited for risk analysis, only 16 in all scored better than a 3, OCR reported. For risk management, the numbers were even worse: 44 out of the 63 covered entities rated a 4 or 5, as did 28 of the 41 business associates.
HIPAA requires both covered entities and business associates—including group health plans and their service providers—to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to their electronic protected health information (e-PHI). This means identifying all of the e-PHI that the organization creates, maintains, receives, or transmits.
However, organizations frequently underestimate the proliferation of e-PHI in their environments, according to Zinethia Clemmons, OCR’s HIPAA compliance audit program director. “Entities are not accounting for all their [e-PHI] throughout their entity,” she said. Many also failed to show they were updating their risk analyses regularly based on environmental changes.
Once risks and vulnerabilities have been identified, HIPAA’s risk management standard requires security measures to reduce these risks to a reasonable, appropriate level. When investigating reported breaches, however, OCR has often found that the underlying risks had previously been identified in risk analyses, but the organization failed to take appropriate steps to address them, Clemmons said. In some instances, for example, encryption was included in a remediation plan but not implemented in a reasonable timeframe, she added.
In its audits, OCR asked to see not just the risk analysis itself but the organization’s detailed policies and procedures for conducting one. These should indicate who will conduct the risk analysis, how often, and what types of new risks or events will trigger a new one, according to Adam Greene, an attorney with Davis Wright Tremaine LLP. Also, “to what leadership will this be communicated?”
Regarding risk management, OCR is looking for a policy more specific than “manage risk to an acceptable level,” Greene said. The agency wants specifics on an acceptable level of risk, the frequency of reviewing ongoing risks (not just “continually”) and employees’ roles in the risk management process. OCR also wants to see a risk management policy specific to HIPAA and PHI, though “I consider this a fairly controversial point,” he added.
In addition, OCR expects a risk management plan to correspond “one to one” with the underlying risk analysis, which is something not every organization does, Greene continued. It is also important to maintain evidence that the risk management plan is being implemented—for example, that all desktops were encrypted by the projected date. “Information security does not always have the compliance mindset,” he noted.
Right of Access
In the privacy portion of the audits, the biggest problem area was the HIPAA requirement to give individuals access to their own PHI on request. Of 103 covered entities audited, 65 scored a 4 or 5 on this item.
“Access really was a troubling area,” Clemmons said. OCR found inadequate documentation of access requests, and defects in policies and procedures such as misstating the response deadline or failing to mention the individual’s right to designate a third-party recipient.
Organizations need to make sure their access policies reflect the most recent regulatory changes, including the 2014 amendment regarding clinical laboratories, Greene said. The policy should also specify the fees that HIPAA permits the organization to charge, he added. “Revise your policies if you have not done so recently.” Entities also should make sure their notice of privacy practices details the right of access, including the timing, the right to an electronic copy and the right to have a copy forwarded.
Privacy notices in general yielded good audit results overall, as did timely breach notifications, Clemmons said. OCR will examine covered entities’ practices for lessons that can be shared in technical assistance, she said. Conversely, for risk analysis and management and enabling individual access, OCR is working to enhance its technical assistance to help get entities up to speed.
Clemmons and Greene spoke at the 27th National HIPAA Summit in Arlington, Virginia.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic.