On its website, the Department of Health and Human Services (DHHS) offers steps a practice can take when performing a risk analysis, which is required by HIPAA. These steps include identifying the scope of the analysis; gathering data; identifying vulnerabilities; assessing security measures; and determining the potential impact of a threat. As with much of the wording of HIPAA – and lists that offer ways to comply with the regulation – there is little that is “actionable, practical, or specific,” said Steve Spearman, CEO of Health Security Solutions.
Organizations that want to perform risk assessments often have no idea where to start or what to do with much of the information meant to help them (like DHHS’ risk assessment tool, which has more than 150 questions to work through). So, where should someone turn to find out how to comply with the risk assessment provision? Experts have some tips on weaving through the mire.
Just do it
Not performing a risk assessment is akin to doing a home inspection and being surprised to find out a house’s foundation is settling or there are termites in the rafters. Not only is this step required by HIPAA, but it is the key provision within the legislation related to meaningful use. A risk analysis is an integral part of HIPAA compliance predominantly because it is the main tool that enables providers to determine where they stand with their protected health information.
One example is the use of Windows XP. According to Spearman, the operating system is no longer supported by Microsoft, Inc., meaning the developer will no longer provide updates, troubleshooting, or security patches for the system. To use XP is not an explicit HIPAA violation, but if an organization were to fail to document and mitigate the risks associated with the use of Windows XP, it would be. The rules do not specifically cover this XP point, but a risk analysis would catch this, Spearman said.
Performing a risk analysis not only alerts an organization to this kind of problem, but it is a good way to potentially mitigate punishment after the fact. Imagine two different providers have XP and only one performs a risk analysis. They are both sitting in front of an auditor after a breach and one says, “I didn’t know this was a problem,” whereas the other pulls out its documentation and says, “We knew this was a risk area for us, and to lessen the potential for harm, we repurposed some computers, and took others off of the system.”
Steps to take
The verbiage of the provision dealing with risk analyses requires providers to perform an accurate and thorough assessment of the risk and vulnerabilities related to protected health information in their office. Again, the rule leaves much to be desired regarding specifics for providers.
Organizations have to look at both technical and nontechnical vulnerabilities related to privacy, confidentiality, and disclosures. Nontechnical areas would include things like having effective policies and procedures, standards and guidelines.
Technical issues related to where there are holes or weakness in an office’s programs or systems. For a technical assessment, Spearman recommends beginning with an IT asset inventory. This will look slightly different for each office, depending upon their electronic usage. Create a spreadsheet listing each device in the office. Note each computer’s operating system and its purpose. Is it used to store health information or view it?
If it is storing information, a device should be encrypted, he said. The type of device should also be noted. Laptops are riskier than desktops, for instance, because they are portable. Backup media like tapes and external drives should also be included.
Next, a report or list should be created with the steps taken to ensure the devices are secure. This could include secure storage, encryption, passwords, or special access authorization. Spearman recommends using one of the free online tools that can be used to check computers for viruses or other bugs and including that in the documentation as well.
Another document that should be created, if one does not already exist, is the security policy. Cindy Winn, deputy director of consulting services for The Fox Group in Upland, Calif., also recommends having “a great backup or disaster recovery plan” in case a problem should arise.
The last point to note is the frequency of performing assessments. The only guidance HIPAA provides here is that each office follows its own policy. Under meaningful use, an analysis has to be performed annually. Winn also recommends creating a policy for record retention. Actions like checking firewalls to see if they were up or requiring staff to change passwords every 90 days should be documented and retained for at least six years, she said.