Some of the most famous people of our past constantly encourage us to take risk to further ourselves and make more opportunities. We think about these quotes when big decisions are being made in all aspects of lives. But then we have to stop and think – some risk may be worth taking to better a community, organization, or person; however, the risk of not doing something so vital to an organization, such as a HIPAA Risk Analysis, can be detrimental and can cause an organization to have a data breach or lose valuable patient information needed to support patient care. In the words of Warren Buffet, “Risk comes from not knowing what you are doing.” If you apply that concept to the management and protection of patient, risk comes from not knowing how you are protecting patient information, not knowing your security safeguards at your organization, and not knowing where patient information is being stored or how it is being transmitted. At the HIMSS 2015 conference in Chicago, IL, many of the speakers discussed the importance of knowing where information exists and what is being done with that information in the normal course of business.
Once process is meant to create the baseline understanding of the current areas of risk for a healthcare organization and is required by the HIPAA Security Rule, the HIPAA Risk Analysis. In a 2014 study conducted by NueMD, out of 1100 physician practices, only 33% of them were confident that a HIPAA Risk Analysis was completed for their organization. In the article by Gruessner (2015), he discussed that 22% of eligible providers and 5% of eligible hospitals are failing audits from the Meaningful Use program. Previous documentation shows that not properly conducting a HIPAA Analysis is a top reason for the failure of the audits (not the only reason – many others exist). Out of the 23 fines that have been assessed to healthcare organizations since 2009 for data breaches, 15 of the 23 resolutions agreements clearly stated risk assessment was one of the non-compliance areas evaluated for the amount of the fine. It is clear that many organizations are not doing the HIPAA risk analysis – but is it worth the risk? Are you willing to take your chances of non-compliance with HIPAA, a large data breach, a million dollar fine from the Office of Civil Rights, and potential class action law suits? The answer to all healthcare organizations should be NO! The risk of not doing the risk analysis is not worth is.
There are many different ways to conduct a risk analysis – there is not right or wrong way! In 2010, the Office of Civil Rights recommends the following steps to conduct the risk analysis
- Define the Scope of the Analysis
- Define the Data Collection Process
- Identify and Document Potential Threats and Vulnerabilities
- Assess Current Security Measures
- Determine Likelihood of Threat occurrence
- Determine Impact of Threat occurrence
- Determine Level of Risk
- Finalize Documentation
Check out the detail of the guidance at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
After the risk analysis is completed, an organization should spend time evaluating and implementing security controls to mitigate the risks and reduce the likelihood of occurrence. It is important that as risks identified in the risk analysis process are mitigated, the healthcare organization should assure
Are you willing to take the risk of not conducting a regular risk analysis? All answers should be NO! The time is now – follow the famous words of Warren Buffet – understand what you don’t know, mitigate risks that you have, and protect the privacy and security of patient information!