Understanding your HIPAA Security and Risk Analysis
The Office of Civil Rights says a majority of providers are not complying.
By Wayne van Halem*
In the May 2018 issue of Impact, the compliance article discussed how to be prepared for the Health Insurance Portability and Accountability Act (HIPAA) audits that at the time were being conducted by the Office of Civil Rights (OCR).
The program was designed with three distinct phases. The first phase began in 2012, and consisted of a pilot audit program where OCR looked to assess the internal controls and processes of 115 covered entities and how they comply with HIPAA rules and requirements. These audits were conducted on site. As part of the pilot program, they assessed their own processes and developed enhanced protocols to be used in the next round of audits, which occurred in the second phase of the project. Phase 2 consisted of audits of 200 to 250 covered entities (CEs) and Business Associates (BAs), primarily through desk audits. We now find ourselves in Phase 3, which is compiling the results of the audits conducted in Phase 2. The results so far aren’t looking good for providers, covered entities, or business associates, but we sure are learning a lot—which ultimately is a goal of OCR.
On May 1, the OCR released new information regarding a covered entity’s responsibility for completing an appropriate risk analysis. “Based on the dismal results that were achieved during the phase 1 and 2 audits of covered entities, it is clear there is still much confusion,” says Tom Meadows of HIPAAwise.
Let’s start by reviewing the OCR’s random audit results. Over the last three years the OCR conducted random audits of around 200 covered entities and business associates. A summary of those results1 is shown in the OCR Audit Results chart.
Those audited included a variety of provider types and sizes throughout the country. They were primarily desk audits that were assessing parts of your HIPAA Compliance Program that were discussed in the May 2018 article, most commonly your policies and procedures and your Security and Risk Assessment (SRA). Is the provider making the appropriate efforts to comply with HIPAA requirements? The simple answer is that most are not, and we now have more information about where providers are struggling.
How do we know? If we start looking at these results in more familiar terms, we find that not a single covered entity received an “1” on the Risk Analysis requirement and only 14 percent received a “2.” More than half of covered entities received a “4” or a “5.” That is pretty alarming. Now, when we compare these results to the settlements and fines that have been imposed on covered entities, all settlements over $1,000,000 involved not having a proper risk analysis in place. It is time to get serious about this requirement. It is not surprising when working with a client to find out that they are not conducting an annual comprehensive risk assessment exercise. Obviously, awareness and education is a big part of this OCR program, but with so few CEs and BAs in compliance, the audits are not going away and you must get prepared.
Roger Severino, director of the OCR, is all about enforcement. He took over under the new administration after these audits were completed. At the HIMSS18 conference, he famously told attendees, “I come from the Department of Justice Office for Civil Rights; I bring that mindset to [HHS] OCR. We’re still looking for big, juicy egregious cases” for enforcement. He made it clear as well that size of the provider does not matter, adding “this doesn’t mean that if you’re smaller and quiet” you will not fall under their radar.
“The HIPAA combined text is an enormous document that includes more than just risk analysis, such as policies and procedures, employee training, business associate agreements, to name a few. Because it is so extensive, many providers feel they have a little of everything but seem to consistently ignore completing a risk analysis,” says Meadows. The poor performance demonstrated during the random audits has shown the OCR that they need to step up enforcement and hopefully more awareness and education. Bottom line, what the OCR learned from the audits is that covered entities are not complying with the risk analysis component of the HIPAA laws. Fines are calculated at as much as $1,000 per day over the period an appropriate risk analysis was not in place. In 2016, OCR identified record-breaking fines of $25 million and $19.4 million in 2017.
In its April 2018 newsletter, OCR went a bit further and specifically discussed the difference between risk analyses and gap analyses and stressed that a gap analysis alone is likely not sufficient to meet your requirements under HIPAA because it does not provide enough information. According to OCR, “A gap analysis is typically a more narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect [electronic protected health information] ePHI, without engaging in the comprehensive evaluation required by a risk analysis.”1
Now is the crucial time for you to look at your own annual SRA process within your practice. Remember that in the results provided, an overwhelming majority of covered entities are making between minimal and no efforts at complying. If you are doing a risk analysis, is it comprehensive enough to meet government requirements or is it just a gap analysis that doesn’t provide an accurate and comprehensive assessment of the risks to all ePHI? How would you be able to respond if you received an audit request? If you fall in line with most providers, your practice is vulnerable to fines and penalties that can cripple your business. Many private practices struggle with handling these processes internally; however, there are a wealth of resources available to providers to assist in the SRA process. I think an error many providers, particularly smaller ones, make is thinking they can do it alone; they think they are doing enough to get by; or they think they cannot afford outside assistance or guidance. However, along with a wide variety of resources, there’s a wide variety of options and pricing for you as well. I am a firm believer that there are experts out there that should be utilized, and people shouldn’t be afraid to ask for help, regardless of your knowledge or the size of your practice. In fact, you might learn that your practice might be exempt from certain requirements because it’s cost prohibitive or your practice size is too small. If you think you need help, you owe it to yourself to at least do some research and find a partner that could help assist in this process. Even the most knowledgeable and experienced compliance professionals need to turn to outside experts on occasion.
Even if you believe you have everything you need to satisfy the requirements set forth in the HIPAA Combined Text, the results of Phase 2 Audits suggest that you may, at a minimum, be lacking an acceptable Detailed Risk Analysis. That’s a good place to start and honestly, it’s a small amount of your time that could save you millions if you are wrong. As providers, oftentimes we put the responsibility on the government for compliance, when protecting the Trust Fund, for example. However, when it comes to securing our patients’ data, that responsibility lies squarely with those of us in the private sector holding patient data. Roger Severino summed it up best when talking about the OCR at the HIMSS18 conference, saying, “We’re about increasing access to information” by patients. But in the meantime, entities who hold private health information “need to treat it like gold.”
Wayne van Halem , AHFI, CFE, is the founder and president of The van Halem Group in Atlanta, Georgia. They navigate complex issues related to audits, appeals, enrollment, and compliance. He can be reached at 404-343-1815 or firstname.lastname@example.org.
* The author has a vested interest in the subject of this article.