October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.
Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.
“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches,” stated ONC and OCR in their joint news release on the updated SRA Tool. Healthcare and non-healthcare organizations are increasingly seeing a similar risk assessment requirement under a growing body of state law, such as in California, Colorado, Massachusetts, New York, and Oregon.
Recognizing that conducting this enterprise-wide risk analysis can be a challenging task, the ONC and OCR developed a downloadable SRA Tool in 2014 to help covered entities and business associates identify risks and vulnerabilities to e-PHI. According to ONC and OCR, the October 2018 update to the SRA Tool improves usability and expands its application to a broader range of health data security risks. Still, the SRA Tool may not be the right fit for small and midsized covered entities and business associates. In fact the HIPAA Security Rule contemplates that covered entities and business associates may use any security measures that reasonably and appropriately implement the standards and implementation specifications. In doing so, they may take into account certain factors about their organization: (i) size, complexity, and capabilities, (ii) technical infrastructure, hardware, and software security capabilities, (iii) costs of security measures, and (iv) probability and criticality of potential risks to electronic protected health information.
Use of the SRA Tool is not required by the HIPAA Security Rule, and its use alone does not mean that an organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations. However, it may help organizations in their efforts to comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments. Notably, while the SRA Tool may provide a basic outline for the risk assessment process, it does not provide substantive legal guidance as to how a covered entity or business associate is to navigate between the various standards that are either “required” or simply “addressable.” While completing a risk assessment is a requirement under HIPAA, organizations should seek guidance from legal counsel as to how to complete such an assessment and how to develop and implement appropriate safeguards based on the results of the assessment. Failing to do so could create significant liability for your organization.
Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the OCR.