Myth-busting HIPAA Risk Assessment Requirements
Wednesday, August 7, 2019 9:00 AM
Health care data breaches are in the news more and more frequently, as hackers become more sophisticated in their ability to bypass information technology (IT) security, access electronic health records, and steal protected health information (PHI). Unlike a compromised debit or credit card — which can be resolved with account suspension and the issuance of a new number — PHI contains sensitive personal information such as names, dates of birth, Social Security numbers, and health insurance ID numbers that cannot be reissued.
To prevent such data breaches, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and their business associates to perform a risk assessment of their health care organizations. In addition, the Quality Payment Program (QPP) requires a security risk analysis in which practices attest to having performed a risk assessment.
Despite their increased necessity, a few urban myths still surround security risk assessment requirements. I dispel some of the most prevalent ones below.
Myth #1: Small providers do not have to perform risk assessments.
All health care providers are required to perform a HIPAA security risk assessment as a covered entity, regardless of practice size. This is true even if your practice opts to use paper patient charts over electronic medical records. Remember, as a covered entity, every practice must comply with the administrative, physical, and technical safeguards within the HIPAA rule.
Myth #2: If your electronic health record (EHR) is certified, you have fulfilled the requirement for the QPP.
It’s true that those participating in the 2019 Medicare Promoting Interoperability Program — which is part of the QPP — are required to use the 2015 edition of certified electronic health record technology (CEHRT). However, having the correct edition does not provide risk analysis for all the other electronic transactions and connections that exist in your practice and therefore doesn’t fulfill the QPP requirement.
Myth #3: Your EHR vendor provides your risk assessment.
Whether your practice has internal or external IT support, a risk assessment must take place. To aid you, there are many free and helpful tools available to facilitate a thorough analysis of all electronic systems (see right). In some cases, using an outside vendor may be helpful to ensure compliance with the requirements. Remember — diagnostic equipment, computers, servers, laptops, and cellphones (just to name a few) should be included in the compliance analysis.
Myth #4: If you have completed a standard checklist, you have fulfilled the requirement.
Completing a checklist is a good start to ensure you have looked at all the possible compliance issues for your practice. However, that is just the first step; you must follow-up by ensuring everything is compliant, and if a weakness or vulnerability is found on assessment, it must be addressed and documented.
Myth #5: If you have completed the risk assessment once, you can use it every year thereafter.
As with general compliance training, a risk assessment should be performed each year. The increased number of reported data breaches is proof that cyberattacks are active and we must remain vigilant. Doing so can ensure that reasonable assessments and precautions are being taken to keep PHI secure.
Safeguarding PHI is more important than ever as technology continues to transform how information is shared in the medical space. Therefore, you must do your part (i.e., perform security risk assessments) to ensure such data is secure and well-protected from those who do not have authorization to access it.