Practices Have Latitude in Addressing Security Risks
Practices can either make changes to mitigate these risks, find an alternative solution, or choose not to make changes and accept the risk.
Conducting annual risk assessments and dispositioning what will be done in response to each of the identified risks, are an important part of complying with HIPAA regulations. Practices do not necessarily have to meet every single standard, however. HIPAA specifies which implementation specifications are “required” versus which are “addressable.” Implementation specifications that are required, such as the annual security risk analysis, are similar to a standard in that all physicians and other covered entities must conduct an annual risk analysis in accordance with the Security Rule. Implementation specifications that are “addressable” allow practices to determine if addressing each one is reasonable and appropriate given a practice's specific circumstances.
Whether a risk assessment is completed in-house or through an external organization, the individuals conducting the assessment need to sit down with the practice's decision makers and review all of the identified risks, said Theresa Wilkes, a medical informatics strategist for the American Academy of Family Physicians. Practices must then disposition how they choose to address each identified risk by either making changes to mitigate these risks (often by putting administrative, physical, or technical safeguards in place), finding an alternative solution (such as purchasing cybersecurity insurance to insure against the risk), or in some cases by choosing not to make changes and accept the risk after carefully analyzing (and documenting) what is reasonable and appropriate given their circumstances. For instance, if a practice looks into purchasing cyber security insurance and finds it is cost prohibitive, the practice can choose to take the risk of not buying it.
The federal Office for Civil Rights (OCR) does not consider a risk assessment complete until health providers have looked at each identified risk and determined how the risk will be mitigated, or not, Wilkes said. This process needs to be documented. If a hard copy of the risk assessment is available, it should be signed and dated by the authorized person in the practice. If the assessment has been done online, a screen shot with the date and time it was completed is required.
Physicians and other providers should recognize that the law was written so covered entities and practices have some autonomy on how to address each item that best works for their practice, Wilkes said. “This doesn't have to be overwhelming,” she said. “You need to set it up so you are identifying what is reasonable and appropriate given your practice, then document that decision making.” If decision making on how an identified risk will be dispositioned is not documented, it is deemed not to have occurred and rationale is then not recorded to support the practice in the event of an audit.
The Department of Health and Human Services (HHS) has a security risk assessment tool (www.HealthIT.gov/security-risk-assessment) that can help. The HHS tool will assist individuals as they go through the results and help them understand how to address each risk depending upon the practice, Wilkes said.
The tool is mostly user friendly, but not frustration-free. She loosely compares use of the SRA tool for risk assessment to use of tax preparation software for tax returns, noting it makes the process achievable by an individual but it can be necessary to read many of the pop ups stating whether or not an issue is required versus addressable, and what administrative, physical or technical safeguards might help mitigate a particular kind of risk.
OCR typically announces what its enforcement focus will be in advance, but “it is constantly changing year to year, so by the time something shows up on your risk assessment, it's a little late if it's an issue,” said Chris George, a senior managing director in the health solutions practice at FTI Consulting.
George, who is familiar with how HIPAA inspections are conducted, said it is important to establish a compliance committee that meets regularly to oversee the process of implementing changes after a risk assessment. OCR routinely monitors this activity, he said. “They look for policies and procedures, but also what you are doing from week to week,” he said. “They want to see you putting time, energy, and effort into solving some of these problems.”
Working regularly to amend bad habits and areas that introduce risk is what Wilkes refers to as having good “security hygiene.” Many changes can be simple to implement, such as having staff change their passwords every 6 months, use screen savers, or set up computers so they log users out after a certain period of time automatically. Staff need to know that online surfing habits on workplace computers can put a practice at significant risk for data breach.
Wilkes also recommends consulting websites such as the Health IT Playbook, which provides tip sheets that can be downloaded and displayed in the office as reminders for staff. They include “Top 10 Tips for Cybersecurity in Health Care” and “Steps to Protect and Secure Information When Using a Mobile Device.” The use of these forms can be documented as part of a practice's security awareness and training.
“Beyond having policies in place, these are the things that OCR wants to see in a practice if they do an audit,” Wilkes said. “There should be breadcrumb evidence of good security hygiene awareness and behaviors in place.” The risk analysis is just one piece. Then, using the results of the risk analysis to tell your staff about the risk identified and what safeguards will help reduce that risk is what the goal should be for protection of the practice and its patients' information.
One piece at a time
When practices decide on a set of problems to address, they should not try to do everything at once, as this will be too burdensome, George said. “You need to come up with a priority plan for each of the areas,” he said. “Some practices will already have improvement processes in place and the risk assessment is just part of that.”
The most critical issues should be addressed first if possible, but this may not always be feasible. During busy times, it may be wiser to fix security issues that have a lower priority and less impact. A savvy practice manager, he said, should be able to help determine the best times to fix certain problems.
“At the end of the day it's all about seeing patients, and you have to make sure the changes don't impact your practice negatively from a clinical care perspective,” George said.