HIPAA Security Standards: Use a Risk Analysis To Guide Your Decision Making


So what is in the HIPAA security rule basics about flexibility analysis and, you know, where has all these risk analysis come from? You know, the thing about the security rule is it's no easy technical requirements. It's no checklist. You really have to figure out what is right for you and your facility. And that's one of the tough things is it's not cookbook kind of a thing. You really have to examine what goes on and then make some decisions that you can justify about what's reasonable for you to do.

That really has to be that, you know, understand how you work and do some HIPAA risk assessments to understand how you can make the right decisions. And then document all these. That's one of the important things. You have to document what your thought process is so that you can justify it if you get into trouble somehow.

You can say, “Look, we thought this trough. We did the best we could. Here's where our thinking was. Here's what we thought was the right thing to do.” That's the kind of thing that can help keep you out of trouble with the Feds if you have a problem going down the road.

Now there are couple of places in HIPAA where they talk about risks and how important it is. For instance the HIPAA General Rules in Section 164.306b, the flexibility section – so you can use any security measures that allow you to meet the HIPAA security standards and specifications.

But you have to consider a number of things such as, you know, how big your organization is, how capable you are, what is the hardware and software and what are the systems that you have in place right now. And there's nothing in HIPAA that says you have to throw those out. You can consider what you have and what your capabilities are and what the cost are of doing things.

But really, what they also points to is that you have to decide, you know, what are you going to do based on the probability and criticality of risk. And there's two factors here we're talking about. One is that: what is the likelihood that this risk is going to turn into a real problem for you. And then if it does, what is the impact.

Does this impact one individual or lots of individuals. There's a lot of information about an individual or just a little bit of information. Or a lot of information about a lot of individuals. The probability and criticality of risk is really how you make your decisions about what your biggest risks are and what you want to go after first.

Now in 164.308 in the Administrative Safeguards, this is really the first section where they talk about, “Here are the things that you should be doing to protect information.” In the first section of 164.308 in A1, they're talking about, “Did you have to have a security measurement process in place?” And one of the things that’s in there - the first section in there of the Security Management Process is that you have to have a risk analysis. You have to do an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic health information held by the covered entity.

You have to do risk analysis. It is the first thing that they tell you to do as far as any other safeguards. There are lot of organizations haven't done a thorough risk analysis. And now is the time. Because of the Stimulus Bill, there's a lot of increased enforcement in there, there's higher fines and the fact that HHS, Health and Human Services, is now obligated to audit organizations.

Before, they were just doing a complaint-based enforcement system. And they discovered it's really much of a relationship between what the complaints were and what the problems were. So you really need to make sure that you have your risk analysis in place because that's the first thing you're going to be looking for when they knock on the door and say, “Hey, how are you doing? We’re here to audit you.”

There's going to be more healthcare audits. The money that they collect from fines will go back into doing more auditing. So not only are they're directed to actually do these, they're actually going to have to put money into it. And as they do more of it, there'll be more money going into it.

So if you've been thinking, “Oh, they're not going to force the security stuff. I haven't heard about any of these problems,” better forget about that because enforcement is coming and getting bigger all the time.

Also, as far as enforcement goes, the legislation also makes it so that State Attorneys General can now bring actions under HIPAA. It's not just up to the Department of Justice, State Attorney Generals could get involved as well. So if you're located in New York State, you know how active your Attorneys General are in pursuing these kinds of things, you better watch out. You better make sure you have your risk analysis done. This is an important thing.

Now, we've talked about risk analysis and risk assessment. Quite often, these terms are used interchangeably. Remember that risk analysis is the big picture of understanding what is the process, what are the issues we have here, how can we balance the various risks across our organization and where are the risk points and how do we make sure that we're making the right decisions. It's really part of the planning process.

HIPAA risk assessment is the term we use when we are looking more at individual systems or information flows, where you want to understand more of the details in HIPAA compliance with good practices and things like that. When you're looking at individual system, we usually use the term risk assessment for that. But, when you're looking at the overall picture, that's risk analysis. You need to have HIPAA risk assessments as part of understanding what goes into your analysis, but they're really two different kinds of thing.

Get more HIPAA training to side-step HIPAA breaches with AudioEducator.