Do not underestimate the importance of a HIPAA risk assessment.
That’s one insight to emerge from the latest HIPAA penalties announced by the Office of Civil Rights (OCR) this month.
OCR is the federal department responsible for enforcing the healthcare data security regulations known as HIPAA.
In the first week of November, OCR announced two big HIPAA penalties:
- Nov. 5 – $3 million settlement was reached with the University of Rochester Medical Center (URMC) for HIPAA violations in 2013 and 2017.
- Nov. 7 – a civil penalty of $1.6 million was imposed against the Texas Health and Human Services Commission (TX HHSC) for HIPAA violations between 2013 and 2017.
What do both cases have in common?
Neither organization performed an adequate risk assessment beforehand, according to press releases from OCR’s parent department, the U.S. Department of Health and Human Services (HHS).
HIPAA Violation: Lost Drive & Laptop
The violations at URMC included the loss of an unencrypted flash drive in 2013 and the theft of an unencrypted laptop in 2017.
An OCR investigation found the organization also failed to:
- Conduct an enterprise-wide risk analysis
- Implement security measures to adequately reduce risk and vulnerabilities
- Implement device and media controls
- Encrypt and decrypt electronic protected health information (ePHI) when appropriate
This resulted in a $3 million “settlement”, i.e. penalty, to be paid by URMC.
This wasn’t URMC’s first tango with OCR. The organization had been investigated in 2010 for the loss of an unencrypted flash drive, according to a HHS press release.
Apparently, that prior investigation, and URMC’s prior acknowledgement that its failure to encrypt ePHI was risky, were not enough to motivate the organization to change course.
HIPAA Violation: Insecure Web Application
The breach at TX HHSC occurred when one or more employees moved an internal application from a private, secure server to a public one.
The application included a security flaw and the ePHI of more than 6,600 patients. When moved to a public server, the flaw exposed those records to the world.
Due to a lack of audit controls, the organization also had no way of knowing the number of unauthorized parties who accessed the ePHI, according to a HHS press release.
The department responsible for the breach filed a report with OCR in 2015. This triggered an investigation, which revealed the organization also failed to:
- Conduct an enterprise-wide risk analysis
- Implement access and audit controls as required by HIPAA
OCR imposed a penalty of $1.6 million last month. TX HHSC apparently did not contest the findings and waived its right to a hearing.
No Risk Assessment = Bigger Penalty?
Penalties of $3 million and $1.6 million – for a couple lost drives and a software flaw? Well, not exactly.
The negligence of each organization – their failure to conduct risk assessments and enact adequate controls – undoubtedly contributed to the penalties they received.
An argument that you didn’t have the time or resources to conduct a good risk assessment is likely to fall on deaf ears if the OCR is digging through your company after a breach.
If you’re required to comply with HIPAA, then you are required to regularly complete a risk assessment.
Will failure to complete an assessment result in a greater penalty? We cannot say for certain, but it certainly will not help and might even make a breach more likely.
Free HIPAA Risk Assessment Tool
OCR’s website lists seven resolution agreements for 2019 so far. These are civil penalties, settlements, etc. for HIPAA violations.
In five of the seven cases (71%), the breached organization did not conducted an adequate risk assessment (or any) beforehand.
The tool is designed for small and medium organizations and is free to download (updated version is for Windows only).
It walks users through a series of modules and questions to help evaluate and document potential threats and vulnerabilities to ePHI in their organizations.
A good overview of the tool and its workflow is provided in a slide deck on HealthIT.gov.
In short, users enter lists of important items, such as assets, vendors, and business associates. Items can be entered manually or uploaded via CSV.
A series of questions walk users through the process of identifying threats and vulnerabilities, scoring their likelihood of occurring, and their impact if they occurred.
A summary report provides risk scores, areas for review, and a total number of vulnerabilities identified as applicable to the organization.
The tool is worth a look – especially for smaller healthcare organizations and their IT providers.
Whether you use the tool or not, one way or another, you must complete a security risk assessment to comply with HIPAA.