HIPAA Risk Assessment for Covered Entities and Business Associates
The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is not a new provision of the Health Insurance Portability and Accountability Act. The requirement was first introduced in 2003 in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process), and subsequently extended in the HITECH Act 2009 to cover the procedures following a breach of unsecured PHI to determine if there is a significant risk of harm to an individual due to the impermissible use or disclosure.
The Failure to Conduct a HIPAA Risk Assessment Can be Costly
The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of protected health information (PHI) and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing that Covered Entities and Business Associates have a legal obligation to protect PHI.
More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard patients´ personal information. Many of the largest fines – including the record $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist.
However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.
It´s Not Just Medical Organizations in the Firing Line
Every Covered Entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business Associates, subcontractors, and vendors must also conduct a HIPAA risk assessment if they or their systems have contact with ePHI. Similarly to Covered Entities, fines for non-compliance can be issued by OCR against Business Associates for potential breaches of PHI.
OCR treats these risks seriously. In December 2014, the department revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records were attributable to the negligence of Business Associates. In June 2016, it issued its first fine against a Business Associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 patient records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013.
Resource – HIPAA Journal