At 47 pages, the HIPAA Security Rule is not necessarily a long piece of federal legislation. But the concepts contained within it are both deep and broad, making compliance a tricky issue.
This may leave health care practices feeling lost when it comes time to conduct a HIPAA risk analysis every two years for HIPAA compliance and annually for meaningful use attestation. Without help navigating the issues that inevitably arise leading up to and during an analysis, providers may soon see their compliance efforts run aground.
The Security Rule, the most recent version of which can be found in the HIPAA Administrative Simplification Regulations, require that covered entities "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information."
That's a pretty attractive incentive to pursue encryption technology, because if there is a breach it can be pretty expensive to recover from.
Nicholas Heesters, health IT privacy and security specialist at Quality Insights of Delaware.
To make matters thornier, regulators don't always clearly spell out specifics on how providers need to conduct risk analyses. The Security Rule seems to be purposely vague because it applies to large health systems as well as independent physicians and small group practices. These providers carry very different risks. In many cases it is up to the covered entity to identify what needs to be looked at and addressed. Knowing where to start plays an important role in a successful risk analysis.
Asking for help is OK
One of the most common pieces of advice that IT security professionals give to providers is to seek help. Nicholas Heesters, health IT privacy and security specialist at Quality Insights of Delaware, the state's regional extension center, said that even the most well-intentioned providers may fail to conduct an effective risk analysis simply because they "don't know what they don't know."
The threats to protected health information are not as straightforward as some medical professionals may think. Heesters said it is not enough to use an electronic health record (EHR) system that has encryption capabilities. Data may become vulnerable at many different stages. In order to be compliant with the HIPAA and meaningful use, practices need to account for all these threats and take steps to minimize them after they have been identified.
For example, Heesters said that many older copy machines have built-in hard drives that store scanned document data. While this information must be protected, many physicians overlook this vulnerability because they're not security pros. This kind of scenario is why Heesters said practices may benefit from seeking outside help when conducting a risk analysis. IT security professionals are likely to spot many threats that clinicians would miss.
Robert LaPolt, director of network business applications and services at Bassett Healthcare Network, a regional system in upstate New York, said his organization works with an outside security partner to help hospitals and ambulatory practices identify security risks. These professionals help internal hospital IT staffs diagnose vulnerabilities and recommend patches.
This type of approach is important, LaPolt said, because it is the covered entity's responsibility to ensure that data is protected. Technology changes frequently, and providers need to be aware of new risks upgrades may introduce.
"Ultimately it's the responsibility of the hospital to ensure that the data and the systems are safe," he said. This means that a security risk analysis is not simply a box that needs to be checked off. It is something that requires time and resources to ensure it goes smoothly.
Get a risk analysis done early and often
HIPAA states that providers complete "current" risk analyses. LaPolt said that one way to understand this requirement is that covered entities should review their security measures anytime something in the security environment changes. This could be when an EHR system is upgraded, a new piece of software is added or a wireless access policy changes.
With the world of health IT regulations constantly evolving, it's hard to image that a practice would go for very long without making any major changes that impact security. But even if there are no significant changes, Heesters said that practices should not go more than one year without updating its risk analysis.
"You wouldn't want to go too long because it has to be kept current," Heesters said. "If it is kept current then it would be a matter of updating that existing risk analysis with any new risks."
Ali Pabrai, chairman and chief executive at ECFIRST, an information security and compliance firm, agreed that risk analyses should be completed annually for several reasons, first and foremost because the number of threats to data is growing. This includes attackers from both inside and outside of organizations. Moreover, compliance audits are becoming more common
Encryption a large part of HIPAA risk analysis
Heesters said that data encryption is one of the most important things providers should look for when conducting risk analyses. If the review finds any point at which data is not encrypted, providers should take steps to resolve this issue.
More on HIPAA risk analysis
Read NIST advice for health care providers.
More from our source Ali Pabrai on the process.
mHealth security and HIPAA risk analysis.
The HIPAA Security Rule does not specifically require that data be encrypted. Data encryption is considered an "addressable" specification, which means that providers must assess whether it is reasonable and appropriate for their practice and then either implement the specification or document why it is not appropriate.
Even though not every practice may be required to encrypt data, Heesters said the majority still should. This is because encryption is the easiest way to prevent a breach, and the cost of implementing encryption is generally less than the expenses associated with the loss of unencrypted data. This may include conducting a breach analysis, contacting affected patients and providing credit monitoring, Heesters said.
"That's a pretty attractive incentive to pursue encryption technology, because if there is a breach it can be pretty expensive to recover from," Heesters said. "It certainly is cheaper to do that on the back end and trying to avoid going down that road in the first place."
Furthermore, LaPolt said that meaningful use provisions for data encryption go beyond what is required under the HIPAA Security Rule. Stage 2 regulations require that backed-up data be encrypted. The meaningful use rules also require that practices complete a risk assessment within their reporting period, which means that the covered entity needs to have at least gauged whether encryption is appropriate at some point during the reporting period.
Ultimately, Heesters and Pabrai agreed that covered entities are largely on their own when it comes to determining what is important to look at in a risk analysis, how often it should be conducted and how to address threats. But by following best practices and looking for help whenever necessary providers can ensure that their risk analysis goes smoothly and enhances data security.