In recent weeks, three health care entities have agreed to pay nearly $7 million in settlements reached with the Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) for potential and actual violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In all three instances, the DHHS determined that the covered entities failed to perform an adequate risk analysis or performed a risk analysis, but failed to appropriately execute consistent risk management measures intended to reduce the risks identified by the risk analysis for electronic protected health information (“ePHI”).
Concentra Health Services. Concentra self-reported a breach to the OCR involving an unencrypted laptop stolen in late 2011 from a Concentra physical therapy center in Springfield, Missouri. The OCR’s investigation indicated that Concentra performed several risk assessments, which identified a lack of encryption on its laptops, desktops, and other medical equipment and devices. This lack of encryption was identified by Concentra as a “critical risk.” However, despite this discovery, Concentra failed to adequately address the issue, resulting in inconsistent encryption efforts. Additionally, the OCR determined that Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations. Concentra agreed to pay DHHS $1,725,220 and entered into a Corrective Action Plan that includes encryption status updates, security awareness training for employees, and the completion of a thorough risk analysis of the potential vulnerabilities to the confidentiality, integrity, and availability of all Concentra ePHI.
QCA Health Plan, Inc. QCA, an Arkansas-based health plan, self-reported a breach to the OCR involving a laptop stolen from an employee’s car in February 2012. The OCR’s investigation indicated that QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risk and vulnerabilities to QCA’s ePHI. Additionally, the investigation noted that QCA did not implement physical safeguards for all workstations that access ePHI. QCA agreed to pay DHHS $250,000 and entered into a Corrective Action Plan that includes performing an updated risk analysis and management plan to protect ePHI; developing security awareness training materials and performing specific security measures aimed at reducing risk to, and identifying the vulnerabilities of, QCA’s ePHI.
New York and Presbyterian Hospital and Columbia University. The Hospital and the University are separate legal entities, but pursuant to a joint operating agreement, the University’s faculty members serve as attending physicians at the Hospital. The entities operate a shared data network and shared network firewall administered by employees of both entities. In 2010, the entities submitted a joint self-report to the OCR involving a breach of ePHI. The breach occurred when a university-employed physician attempted to deactivate a personally-owned computer server on the network. The deactivation of the server caused confidential patient information to be accessible on internet search engines. The OCR’s investigation indicated that the Hospital and the University failed to conduct an accurate and thorough risk analysis that incorporated all information technology equipment, applications, and data systems utilizing ePHI and that the entities failed to implement securing measures sufficient to reduce the risks and vulnerabilities of the ePHI systems. The Hospital and University agreed to pay the DHHS $3,300,000 and $1,500,000, respectively. The parties also entered into separate Corrective Action Plans, which include performing a risk analysis, revising policies and procedures, training staff, and providing progress reports to the OCR.
In its Guidance on Risk Analysis Requirements under the HIPAA Security Rule (“Guidance”), the OCR describes the Security Rule risk analysis as “foundational.” These recent high-profile incidents cement OCR’s position that conducting a security risk analysis is the first step in identifying and implementing safeguards that comply with the HIPAA Security Rule. Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires covered entities to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. As part of its risk analysis, covered entities should (1) identify ePHI within its organization, including all ePHI that is created, received, maintained or transmitted by the entity; (2) determine the external sources of ePHI; and (3) determine whether there are human, natural, or environmental threats to information systems that contain ePHI.
The risk analysis is also a key tool in reaching substantial compliance with many of the other standards of the Security Rule. As we know, some of the requirements of the Security Rule are identified as “addressable” rather than “required.” Addressable standards, however, are not optional standards. Rather, a covered entity must determine if the implementation specification is not reasonable and appropriate. If the implementation specification is not reasonable and appropriate, the covered entity must document why and then implement an equivalent measure. A risk analysis is critical to managing and resolving “addressable” implementation specifications.
Like the HIPAA Privacy and Security Rule, the OCR’s Guidance is “scalable” and not intended to be a “one-size-fits-all blueprint” for compliance. Covered entities are encouraged, therefore, to determine what risk analysis best suits their internal needs. However, regardless of the method used, a thorough risk analysis must include the following elements:
Scope of the Analysis and Data Collection. The risk analysis must include all ePHI in all forms of electronic media regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of the covered entity’s ePHI.
Identify and Document Potential Threats and Vulnerabilities. A covered entity must identify “reasonably anticipated” threats to ePHI and identify the vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of ePHI.
Access Current Security Measures. Covered entities should assess and document the security measures an entity uses to safeguard ePHI, what measures are required by the Security Rule, and whether those measures are being implemented and used properly by the covered entity.
Determine the Likelihood of and the Potential Impact of a Threat Occurrence. Covered entities should determine if a threat is “reasonably anticipated”. A covered entity must assess the magnitude of the potential impact to confidentiality, integrity, and availability of ePHI, resulting from a threat triggering or exploiting a specific vulnerability.
Determine the Level of Risk. The covered entity should assign “risk levels” for all threats and determine the likelihood of the threat occurring and resulting impact of the threat occurring. The covered entity should document a list of corrections to be performed to mitigate each risk level.
Finalize Documentation. The risk analysis methodology and conclusions must be documented and made available to the OCR upon request.
Periodic Review and Updates to the Risk Analysis. So that the risk analysis remains current, the covered entity should conduct continuous risk analyses to identify when updates to programs and processes are needed.
A thorough risk analysis aimed at identifying, categorizing, and responding to anticipated threats to the confidentiality, integrity, and availability of ePHI will meet the requirements of the HIPAA Security Rule and will work to reduce fines and other OCR sanctions. Covered entities should be aware, however, that the risk analysis is not a “snap-shot.” Rather, it is an ongoing process aimed at reducing overall risk. In addition to the Guidance, the OCR has made available educational programs and other materials to assist covered entities with their compliance efforts. This additional information is available at www.hhs.gov/ocr and from the National Institute of Standards and Technology (NIST), whose guidelines represent the industry standard for good business practices with respect to securing ePHI. The OCR’s Guidance references the NIST guidelines.
Cynthia Ransburg-Brown, JD, a partner in the Health Care Consulting Group at Sirote & Permutt, advises clients on a variety of corporate and regulatory health care law matters. She can be reached at [email protected]