Two paths to ensure HIPAA compliance

While the desire to protect patient data should be enough motivation to appropriately secure protected health information (PHI), healthcare organizations—especially providers—can also experience significant penalties for noncompliance with HIPAA regulations, with fines ranging from $100 to $1.5 million.

Unfortunately, these violations are not uncommon. In 2020, the Office for Civil Rights (OCR) imposed financial penalties for Right of Access violations that ranged from $15,000 to $160,000; for Security Rule violations, penalties ranged from $25,000 to $6.8 million. Healthcare IT leaders aren’t blind to the fact that protecting PHI should be high on their to-do lists. According to a recent national survey of stand-alone providers and provider offices, the top IT and compliance concern is protecting patient information.

However, providers still fall short in this area. Studies show there are several contributing factors:

• There is no such thing as a HIPAA certification, and to a degree, compliance with the HIPAA Privacy and Security Rules can be somewhat subjective. As a result, senior management may not know their level of exposure.
• Healthcare has been, and continues to be, a prime target for cybercrime because it houses a treasure trove of data. But it typically lags other industries in spending on information security controls.
• Many healthcare organizations—especially small ones—have limited staff and expertise in data privacy and security, as well as in implementing the associated controls.

It is a perfect storm—with cyberattacks increasing in frequency and sophistication, regulations and fines for noncompliance growing every year, and an ever-widening gap in skilled resources. While breach of PHI can be due to phishing attacks, hijacked websites, computer viruses, Wi-Fi hacking, and other external factors, healthcare providers are also particularly susceptible to insider threats.

How can providers get a jump on safeguarding PHI effectively and ensure they are in compliance? The first step is to conduct a risk assessment—or, if time and resources permit, a Health Information Trust Alliance (HITRUST) readiness assessment.

What is a risk assessment?

A security risk assessment is a comprehensive look at an organization’s security posture and structure. It aims to uncover potential threats and vulnerabilities within the IT ecosystem, and it can assure the confidentiality, integrity, and availability of electronic PHI.

Conducting a security risk assessment aimed at HIPAA compliance is an essential step to keep PHI safe and avoid breaches and associated penalties. For all organizations storing or processing PHI, regular assessments (at least annually or when there is a major change to the IT environment) are essential.

A risk assessment is also a critical factor in determining whether an implementation specification or an equivalent measure is reasonable and appropriate. Risk assessments can do more than just help organizations stay compliant; they can help providers and others who have access to PHI address possible vulnerabilities outside of, and beyond, the regulations.

In addition, they can assure healthcare organizations that their third-party vendors are taking appropriate measures to close vulnerabilities and mitigate risks. Recent high-profile breaches of third parties (e.g., SolarWinds, Elekta) have demonstrated the risks to healthcare organizations through linked systems, as well as the need to have an effective third-party risk management program.

While compliance with regulations is mandatory, an effective privacy program is not enough to protect an organization against data breaches. A more effective option for providers is to adopt a risk-based approach to security that performs a holistic assessment of the threats facing the organization and the vulnerabilities in its current operating environment.

HIPAA risk assessment template

While there isn’t an official risk analysis method, the Department of Health and Human Services (HHS) provides guidelines to ensure that the risk assessment meets its ultimate goal: to help organizations understand how their technologies and strategies line up with HIPAA Security Rule requirements and implement the necessary security measures. Although foundational to the overall security posture of the organization, the risk assessment is an item that many organizations overlook. HHS lays out the following aims of a HIPAA risk assessment:

• Determine scope. The analysis needs to encompass all forms of e-PHI that the organization creates, receives, maintains, or transmits.
• Collect data. This includes where and how e-PHI is generated, stored, accessed, and disposed. Don’t overlook e-PHI collected, maintained, and transmitted by third parties.
• Identify threats and vulnerabilities. This means any potential sources that could impact the confidentiality, integrity, or availability of e-PHI.
• Assess likelihood of threat. Assess the probability that each identified threat could occur, based on the organization’s current security measures.
• Assess impact of threat. For each identified threat, assess the impact of its occurrence (i.e., level of damage to the organization). Assessment methodology can be qualitative, quantitative, or a hybrid of both.
• Assess level of risk. This is typically performed by calculating the average of the likelihood and impact of the threat occurrence as determined in the previous two steps.
• Document. Clearly document the findings of the previous steps in a clear and easy-to-understand format. Ensure that the findings are stored and archived for an appropriate amount of time (typically six years).
• Monitor and update. The risk assessment should be reviewed at least annually. In addition, HIPAA requires new assessments when significant changes occur to the environment.

HITRUST assessment

As cybersecurity breaches become more prevalent and costly and consume ever-increasing resources to address, large healthcare entities are requiring their vendors (and in some cases, providers) to become HITRUST-compliant or certified. There is no question that every healthcare organization that stores or exchanges PHI or other sensitive information with a business associate must ensure that information is appropriately safeguarded. In the past, third-party organizations have signed business associate agreements or verbally committed that they were HIPAA compliant and had adequate information security controls in place. Some may have provided compliance reports or signed attestations to demonstrate compliance.

The challenge is that a healthcare organization cannot be “certified” as HIPAA compliant. As an alternative, organizations have had to use an internal resource to perform a self-assessment against the HIPAA requirements or hire an external assessor.

Although a HIPAA risk assessment is a good start for a provider to understand and correct data integrity shortfalls, it is only as good as the firm completing the assessment and is based on the subjective opinion of that firm. Additionally, the assessment can range in cost from very little to quite expensive.

On the other hand, HITRUST certification is based on an objective set of criteria/controls that can assure a provider’s partners and consumers that the PHI is well protected. A HITRUST assessment is as close as a healthcare organization can come to certifying that it is fully HIPAA compliant.

HITRUST: Then and now

In 2007, a consortium of healthcare organizations formed the HITRUST Alliance, a nonprofit focused on making information protection a core pillar of healthcare information systems and exchanges. It was created to address specific challenges, including concern over breaches, numerous—and sometimes inconsistent— requirements and standards, compliance issues, and the growing risk and liability associated with information security in the industry.

An increasing number of organizations—including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group—now require their vendors to obtain HITRUST certification as a means of demonstrating effective security and privacy practices aligned with industry requirements. HITRUST estimates that approximately 7,500 currently contracted organizations will need to become certified within the next 24 months.

As of March 2022, the Provider Third Party Risk Management Council (PTPRM), which promotes best practices for managing information security-related risks in supply chains and safeguarding patient information, is now requiring its vendor partners to complete a HITRUST i1 Validated Assessment.

Today, for most vendors and providers intending to contract with a large healthcare organization, obtaining HITRUST certification is an essential component. However, as this certification becomes routine, it should not be confused with ensuring that a vendor or provider is meeting federal and state operational requirements or meeting the Office of Inspector General-HHS Compliance Program Effectiveness standard. An organization’s compliance officer or legal counsel should be consulted regarding the full range of regulations that apply.

HITRUST assessment process

The assessor firm uses the HITRUST Common Security Framework (CSF) and leverages its knowledge in the areas of healthcare regulatory compliance, information technology, risk consulting, and cybersecurity to help the client prepare for attaining a validated assessment. The HITRUST journey to certification is typically divided into three parts:

Step 1: Readiness assessment

The assessor firm works with the client to determine the scope of the readiness assessment, set expectations, identify responsibilities, and define the project schedule. The assessor and client will identify the relevant components of the system (“system boundaries”) to be assessed, including:

1. Infrastructure
   • The size of client
   • Systems and applications included in the environment
   • Where and how data is hosted
   • How the client and its customers are accessing the data
2. Governance structures
3. Maturity of policies and procedures
4. Data
   • How data is hosted
   • How the client and its customers access the data
   • Volume of data stored in the system

During the readiness assessment, the assessor firm utilizes the HITRUST myCSF tool to examine the client’s control environment—based on the documentation provided and information gathered from interviews—to identify policy, process, and control gaps that require remediation.

Step 2: Remediation

For every major gap identified in the control environment, the assessor firm—in collaboration with the client and using the HITRUST myCSF tool—documents a remediation plan. This is a corrective action plan that will serve as a roadmap in achieving a validated assessment.

The remediation phase can either be an expensive and time-consuming process or relatively quick. This depends on how well the client currently stores and shares PHI. If a client knows that its data integrity process needs significant work, it may be better to have an outside adviser improve the privacy and security posture before starting a HITRUST assessment.

Step 3: Validated assessment

After the readiness assessment, entities can complete a HITRUST validated assessment with the help of a qualified HITRUST CSF external assessor.

Until recently, the HITRUST CSF Validated Assessment— which provides a more rigorous evaluation of security risks with the highest assurance—was the go-to. It is now called the HITRUST r2 Validated Assessment and still addresses HITRUST CSF compliance for organizations that prefer a more rigorous assessment.

However, if the client has a moderate security risk profile, the recently created HITRUST i1 Validated Assessment can meet its security needs. Working with a leading assessor firm will help the client determine which assessment best suits its needs.

Risk assessment tools for HIPAA compliance

Although a HITRUST assessment is a more objective standard, it can be costly and time consuming. As an alternative, there are several toolkits available for smaller or less-mature organizations that want to assess their own HIPAA compliance and security practices around PHI. These include:

• HHS website. This offers guidance on HIPAA risk analysis and provides a wealth of information for small organizations to perform a risk assessment on their own.
• NIST HIPAA Security Toolkit Application. Developed by the National Institute of Standards and Technology (NIST), this tool assists organizations with understanding the HIPAA Security Rule and how to implement administrative, physical, and technical safeguards to meet its requirements.
• HIPAA Security Risk Assessment (SRA) Tool. This was jointly developed by the Office of the National Coordinator for Health Information Technology and the HHS Office for Civil Rights.

It can be difficult—especially for small providers with limited resources—to ensure that an in-house security team has conducted a thorough audit. This is where a third-party risk assessment can prove helpful. By tapping an outside source to conduct the assessment and provide actionable feedback, the provider can ensure that the assessment touches all areas where PHI could be lurking and can get help in closing security gaps in a timely manner.

Final thoughts

Many small medical practices have been investigated by the Office for Civil Rights and subjected to HIPAA audits. Still, numerous healthcare organizations—as well as their business associates—overlook the need to conduct a risk assessment from a HIPAA privacy perspective, which is as important as conducting a security risk assessment.

Cybersecurity and data protection should be top of mind for healthcare organizations. It is essential to reassess current cyberattack prevention measures on a periodic basis (at least annually, or when there are significant changes to the environment). Becoming HITRUST-certified is only one part of a complex cyber protection puzzle, so it is essential to consult with an adviser to ensure you are effectively protecting your patients’ data.

Ready to get started?

Contact us

This article was originally published in The Journal of America’s Physician Groups, Volume 16, No.1, Spring 2022

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.