The Importance of a Security Risk Assessment in HIPAA Compliance

By Paul J. Welk, PT, JD*

As a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), physical therapy private practices often find the compliance requirements of HIPAA to be overwhelming.

This article concentrates on one HIPAA compliance obligation, the security risk assessment, in an effort to assist practices in better understanding this requirement and performing the necessary assessment. The article then highlights a number of recent enforcement actions to illustrate the potential issues associated with failing to complete such an assessment.

In a September 18, 2020 press release, the Office for Civil Rights in the U.S. Department of Health and Human Services (OCR), announced the release of Version 3.2 of its Security Risk Assessment Tool (SRAT). For those not familiar with the SRAT, it was designed to assist small and medium sized health care organizations in the performance of a security risk assessment, which as noted above is a requirement under HIPAA Security Rule. The updated SRAT includes improved navigation, additional fields, the ability to export certain reports and summaries and an updated User Guide. In addition to the SRAT itself, the Office of the National Coordinator for Health Information Technology has produced a number of webinars that provide training and an overview of the SRAT as well as answers to a number of Frequently Asked Questions.¹ A number of recently announced OCR settlements illustrate in detail the importance of performing a security risk assessment and its role in HIPAA compliance.

On July 27, 2020, HHS issued a press release regarding a settlement of potential violations of the HIPAA Privacy and Security Rules by a health system related to the theft of an unencrypted laptop.² The laptop contained electronic protected health information including patients’ names, medical record numbers, demographic information, and medical information. OCR’s investigation identified systemic noncompliance with HIPAA including a failure to encrypt the laptop, a lack of device controls, and a failure to have a business associate agreement in place. For those that do not follow HIPAA enforcement trends regularly, lost or stolen electronic devices are a common theme.

On July 23, 2020, HHS announced a settlement with a health center related to the impermissible disclosure of protected health information to an unknown email account.³ OCR’s investigation revealed long-standing, systemic noncompliance with HIPAA, including the health center’s failure to conduct a risk analysis and implement policies and procedures. In addition, OCR noted that the health center failed to provide its workforce with security awareness training in a timely manner.

On September 21, 2020, OCR announced a settlement with an orthopedic clinic related to a hacker’s access to the clinic’s electronic medical record system. The PHI disclosed in this case included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information. In its investigation OCR noted long-standing, systemic noncompliance with HIPAA, including the failures to conduct a risk analysis and implement risk management and audit controls, maintain policies and procedures, secure business associate agreements, and provide training to its workforce. Of interest in its press release, OCR noted that “[h]acking is the number one source of large health care data breaches.”⁴

On September 23, 2020, a HIPAA business associate agreed to a settlement with OCR related to a cyber hacking group’s advanced persistent threats to the business associate’s information system, which affected over 6 million people. In its press release, OCR noted that it found long-standing, systemic non-compliance with HIPAA, including failure to conduct a risk analysis, and failures to implement access controls and security incident procedures.⁵

On September 25, 2020, a health insurer agreed to pay $6.85 million to OCR to settle potential violations of HIPAA that related to cyber attackers using a phishing scheme to install malware on the insurer’s IT system. The malware went undetected for nearly 9 months and resulted in the disclosure of more than 10.4 million individuals’ protected health information including names, addresses, social security numbers, dates of birth, email addresses, health plan clinical information and bank account information. In its investigation, OCR found systemic noncompliance with HIPAA, including failures to conduct a risk analysis and implement risk management and audit controls.⁶

It is clear from these examples that, despite the OCR’s development of the SRAT as an informative and helpful tool, the failure to perform a security risk assessment remains a very common theme in OCR settlements. See the references list for some of the resources available for physical therapy private practices to assist in completing a security risk assessment. In considering a private practice’s HIPAA compliance obligations, performing a security risk assessment is not only a legal requirement but also is a very important process to complete in order to best safeguard the protected health information of the practice’s patients. 

References:

¹Security Risk Assessment Tool. Health IT website. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool. Accessed October 2, 2020.

²Lifespan Pays $1,040,000 to OCR to Settle an Unencrypted Stolen Laptop Breach. U.S. Department of Health & Human Services website. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lifespan/index.html. Accessed October 2, 2020.

³Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements. U.S. Department of Health & Human Services website. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/metro/index.html. Accessed October 2, 2020.

⁴Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules. U.S. Department of Health & Human Services website. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/athens-orthopedic/index.html. Accessed October 2, 2020.

⁵HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 Million Individuals. U.S. Department of Health & Human Services website. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/chspsc/index.html. Accessed October 2, 2020.

⁶Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People. U.S. Department of Health & Human Services website. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html. Accessed October 2, 2020.

Paul J. Welk, PT, JD, is a Private Practice Section member and an attorney with Tucker Arensberg, P.C. where he frequently advises physical therapy private practices in the areas of corporate and health care law. Questions and comments can be directed to pwelk@tuckerlaw.com or (412) 594-5536.

*The author has a professional affiliation with this subject.