As you might know, HIPAA has very specific requirements that may apply to your organization if you are a covered entity under HIPAA, work with health information that came from a covered entity or receive health information that a covered entity authorized you to receive. This tangled web is pulling in more and more entities. For example, if you sell candy canes, a hospital may ask you to mail these to some of their patients. Believe it or not, the hospital providing the mailing list and address to the candy manufacturer now makes that entity subject to HIPAA privacy. If that entity prints and disposes of this data using confidential trash collection, that disposal company can also be subject to HIPAA.
Understanding HIPAA can be complex. Understanding various risks under HIPAA can be even more complex. This blog item will focus on three different "risks" under HIPAA.
A HIPAA risk analysis is found in HIPAA section 164.308(a)(1)(ii)(A). It is considered one of the foundational building blocks of any HIPAA security program. HHS, the federal agency in charge of HIPAA privacy and security may sometimes refer to this as a risk assessment. The risk analysis requires entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity. Elements of a proper risk analysis includes identifying where all your protected information is, where does it come from, protections you have in place, and what are the human, natural and environmental threats to your data.
The risk analysis will actually help entities understand and evaluate other HIPAA compliance obligations and what they should do about it. For example, the bigger the risk, the more protections may be needed for the "reasonable and appropriate" standard under HIPAA. In simple terms, this analysis will help entities determine several related areas of HIPAA compliance, including personnel screening, data backup, encryption, authentication, and transmission protections.
Your risk analysis should be documented and subject to periodic review. It is not a one time process.
Once your risk analysis is complete, a HIPAA risk management program must be established under HIPAA section 164.308(a)(1)(ii)(B). The risk management process can be seen as the process to respond to the risk analysis, reducing risk to a reasonable and appropriate level and maintaining that level going forward in time.
Big picture, the risk management program will respond to different levels of risk with potential "fill the gaps" to reduce that risk. This part of your program can include: updating technology, new policies or procedures, new processes, new training, etc. Just like before in the risk analysis, these mitigation techniques should be documented and subject to periodic review as well.
Last but not least, a HIPAA risk assessment will be needed anytime there is improper acquisition, access, use or disclosure of protected information subject to HIPAA. Some entities may refer to this as a breach assessment and they are used to determine when breach reporting is required under HIPAA.
In simple terms, almost any impermissible event(s) with protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of what happened. These risk assessments should include: (1) the nature and extent of the information involved, including the types of identifiers and the likelihood of re-identification; (2) who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.
It is important to note that breaches can occur without proof of access, meaning people do not have to actually see the information. If protected information is left unprotected, that can be breach on its own. Additionally, a breach can occur even though no entity violated HIPAA (e.g. theft). This risk assessment helps entities analyze when or if the breach is reportable and the entire process should be documented. If you are a large entity covered by HIPAA, you should have performed one of these already unless you operate in a mistake free world.
Understanding these "risks" can be challenging but are extremely important for entities. If you need assistance with any of these requirements or HIPAA generally, please contact Kinney & Larson LLP.