S3 E35: HIPAA Risk Assessments

Audio version

HIPAA Risk Assessments

Transcript

Jordan Eisner  
All right, welcome back. Another episode of Compliance Pointers. I think we’re in the high 30s at this point on the season, a lot of content. And so for those of you tuning in or watching, I’d encourage you to look at the full catalog, not only this season, but past seasons and all the topics we’ve been going over, and today we have not a new face, but not a familiar, I would say to the podcast. Sarah Reckling from both our data privacy and our healthcare-specific compliance team and she’s a consultant and kind of serving dual role on those. In fact, we were talking to her about your title before we got on this podcast today. But I guess in short, you’re a consultant like many consultants on our team, but you’re helping in a wide variety of areas, not only with regulatory expertise around emerging US state data privacy law, but also you’re an attorney, you’re trained in HIPAA privacy and I would say security and breach law as well, right?

Sarah Reckling  
Absolutely.

Jordan Eisner  
So you’re going to bring some good perspective to this podcast today where we are talking about none other than HIPAA and discussing HIPAA risk assessments in particular, not only a security risk assessment, but also a HIPAA privacy risk assessment most of the time when organizations.
Especially business associates talk about HIPAA security risk assessments, or as they’ll call them SRAS. They’re talking about the annual requirement of the HIPAA security rule, if applicable to you to conduct a risk assessment. We go over it a lot in the past.
In terms of, you know, it’s one of the first things the OCR asks about if they’re performing an audit and hopefully I’m not stealing some of your Thunder and what you’re going to speak to today, Sarah. But it’s going to be interesting to also hear from you on the privacy risk assessment, which to my understanding is not a requirement.
That you do, but still is a very meaningful and value add exercise for organizations. So I’m getting ahead of myself. Let me stop there and just dive straight into the questioning so the expert can speak.
Let’s start with just the purpose of a HIPAA security risk assessment. Talk more about that beyond just the obvious.

Sarah Reckling  
Sure. So I think one of the things that’s important to note about a security risk assessment is that it’s just not a compliance checkbox, right? It’s a requirement of the law like you had stated earlier. And it’s a process really to understand how ePHI is at risk, right? And.
Guiding organizations on how or what specific safeguards to put in place to like reduce those risks and at an appropriate level, right. And there are six essential focus areas in a security risk assessment that we primarily focus on. So the first is.
First, looking at the risk and vulnerabilities, seeing where there are weak points in the administrative and physical and technical safeguards, right? Seeing where they lie within the environment. And then from there, once we find them, we’re determining the likelihood and the impact of threats based on those risks.
That we’re finding, right. So we’re assessing them on the probability that like a threat could exploit, you know, your potential PHI that you guys have that somebody has. So that’s really the next second step and the third one really is to measure the current security posture in the environment, right? So looking at your controls, where are they sufficient? Where are they falling short, right? Checking to see, you know, kind of how the environment really looks like, right? And then once you know what’s in the environment, then you can really prioritize the risks and see like where they rank.
You know, providing really a clear road map of, you know, what the organization wants to accept as a risk and what they need to implement to either reduce it or, you know, change it in some kind of way. So those are the four steps and then from 5 from the 5th and 6th step, right?

We can do. We’re really looking at, you know, due diligence, creating a record of all the changes, right of us finding the risks, how we’re determining what they are, the likelihood and just keeping track of everything in case there is.
An investigation or or questions about any risks that are shown or that will, you know, likely pop up. And then that last step really is, you know, improving the overall security of the environment, right? So you found everything, you documented it, now it’s the time to actually do it right.
Reduce the changes of having like any kind of breaches or incidents, you know, and making sure you’re keeping that organizational reputation high. So those are the six main steps I would, I would say, and how you kind of want to think and walk through them.

Jordan Eisner  
Nice.
OK, good breakdown there, Sarah and.

Sarah Reckling  
Yeah.

Jordan Eisner  
Why is it important that this be done annually?

Sarah Reckling  
So it is a requirement of the law to do this annually. So it’s not a a suggestion or recommendation. We have to do it annually and folks can do it internally or hire an external firm to do that. But yes, it is a requirement per law.

Jordan Eisner  
Sure. But you know, you and us CompliancePoint being an organization that does these annually, I’m sure you’ve got some anecdotal stories and other, you know, call outs for.
The importance of doing it annually. So you know, I’m just saying it from a maybe a listener training is like every single year doing the same security risk assessment, but I I mean that’s pretty common in a lot of frameworks for our listeners or viewers. What would you peg as the some value points for that?

Sarah Reckling  
Sure. I would say a value point as well as where OCR seems to provide the most, I guess I could say fines if you will, that they consistently find is risk. Risk assessments really also look at whether.
There’s policies and procedures in place and whether they’re followed and implemented as well as folks, you know, whether folks are trained on them and know them right. That has been a really big pain point and having those policies and procedures, you know, bring strong value to the overall security posture and environment, so it’s super important. The other portion too, we’re just making sure right that that everything has encryption is another pain point. I feel like some.
Devices might be missed, right? But just making sure all of those bases are covered too. That’s a pretty big gap that seems to be found a lot by OCR. So really like assessing your entire security environment, right? And seeing where those gaps are. I mean, that’s, you know, the whole premise of a risk assessment.
But that’s even just like another point within the risk assessment to do.

Jordan Eisner  
Yeah, and so and maybe 2.
People come and go at different organizations, but policies may be followed very religiously or consistently from one year could differ in the next. And just because it’s one way today doesn’t mean it’s that way tomorrow.
Events happen, incidents happen with clients in the in the marketplace. So I guess it’s just staying readily on top of.
All of those different things that you just mentioned, but also not letting it get stale, not letting it get outdated and keeping it top of mind in terms of really securing the data, the ePHI in particular. So let’s move then to privacy risk assessments.
And maybe you’re going to correct me on this or maybe they’re not being required. You know, maybe that’s a false understanding I had, but who needs to do these and how often or yeah, how often and how do they differ from a security risk assessment?

Sarah Reckling  
Ha.
Sure. I feel like this question causes a lot of confusion. I get a lot of questions about this, a lot of confusion, not just you, Jordan. So when you look at, you know, just kind of taking a step back when you look.

Jordan Eisner  
Probably because of people like me.

Sarah Reckling  
Look at HIPAA. There are primarily 3 main rules, right? The security, the privacy, and breach rule. So we just discussed the HIPAA security risk assessment, which is under the security rule. And so now we’re looking at a different piece of the HIPAA law, which is under the privacy rule, which is where.
Privacy risk assessments come into play. So what happens, for example, when there is an incident, right? A compliance official, whether that being, you know, general counsel or or somebody who’s designated as a privacy officer, will complete a privacy risk assessment.
Now it’s very it’s not situated the same as a security assessment where you’re looking at your entire environment, right. It’s you know, you do one right to fill in the gaps, prevent different breaches and things like that and incidents, but a privacy risk assessment is done once there is.
Is an incident, so a little bit different there. So what a risk assessment does is we look at an incident and there will be a series of questions and those questions are in the regulation of what needs to be asked. There’s.
So the first kind of part of it is whether one of the three exceptions applies, and if one of the three exceptions apply, then you can stop doing the assessment and close that out. If one of the exceptions does not apply, then you need to do what?
It’s famously called the four factors, right? And it’s a series of four questions that need to be answered to see, you know, whether this needs to be reported or not to OCR.
So you if there is an incident, right, a privacy risk assessment needs to be completed. It has to be completed under, you know, the HHS audit tool. You know there are two sections that OCR looks at. You know when if there is an incident, they come into your organization, they ask.

Jordan Eisner  
Mm.

Sarah Reckling  
Do you perform risk assessments? Do you do the four factors and do you have a template on how you’re doing them? And there’s a template that HHS gives you. You can pretty much copy and paste there, but if there is an incident in your organization.
And OCR comes in and asks for all of your, you know, documentation as well as your risk assessment that you completed for a particular incident and you don’t have that, you know, that’s going to be a, you know, probably a pretty big fine that you’re not completing those.

But so it is a requirement. It’s a very different approach, right. So it’s not like security. This one’s like once an incident has happened, and I will say you know a lot of folks like to fill out the four-factor assessment, you know, pretty generally and broadly, but the key really to doing a.
A proper one is to get into the very specific details and I’m talking about Um.
You know, dates, timelines, name, when, when it was reported to you, when did you find out about it? When did you start investigating? So it needs to be as specific as possible. And the reason being there is not just, you know, just to make somebody do this assessment, but if there is an investigation, it’ll be helpful to know the details. So that way if there is another person, another compliance official that comes, you know, in three years and this investigation doesn’t happen until three years, that individual can look at this risk assessment and should be able to know exactly what happened, when it happened and why.
That’s the premise, and once the assessment is completed, you really make a determination of was there a low probability of PHI being seen and whether it needs to be reported or not.
So that’s the premise and the importance of doing one. And it’s also important to whether there’s like a an incident or a breach where there’s an involvement of 500 plus individuals right to.
Is we need to be documenting all this information because that’s a pretty big breach, right? So we’re going to have to really notate everything and OCR, especially with 500-plus breaches, they really do like to take a closer eye on those organizations with those.
Larger breaches. And so if you have one of those, you really just need to document everything as long as it might take you to fill out the risk assessment. It’s super important and it just makes life a lot easier too if OCR comes in.

Jordan Eisner  
OK. I guess my understanding of a privacy risk assessment and maybe it’s two parts, but so it’s a requirement in that if you have an incident that meets the volume amount, you have to conduct a privacy risk assessment.
So you could be conducting several of these, hopefully not, but.

Jordan Eisner  
You could be conducting several of these inside a year, so this is not the same scale as a security risk assessment, right?

Sarah Reckling  
Right, you got it. So after every incident that you have, you should be completing a privacy risk assessment. And like you said, this isn’t a huge organizational evaluation. This is an evaluation of the singular incident itself.

Jordan Eisner  
OK, what about an organizational privacy risk assessment similar to a security risk assessment? Or is that a topic for another day?

Sarah Reckling  
That is a topic for another day, Jordan.

Jordan Eisner  
OK, good. There’s your invitation to come back, Sarah.

Sarah Reckling  
Right, right. There we go. But I really do wish that the privacy assessment was called something different because I feel like people think that they’re the same thing, but they’re not right. One is bigger picture, one is more on singular events.

Jordan Eisner  
I mean, I feel like I have egg on my face, but I have to admit I I’ve done the security risk assessment for a while. I always thought the privacy risk assessment was, you know, a sister to that, you know, in that it was really looking at an organization’s risk as it pertains to the privacy rule, what they need to be doing around the privacy rule policy.

Sarah Reckling  
Hello.
Yeah.
Mhm.

Jordan Eisner  
Procedures, similar security.

Sarah Reckling  
Yeah, your misconception is like truly what everyone, a lot of folks, you know, especially I would say like smaller health IT organizations, you know, they didn’t realize that it’s a different, a different thing and that they need it needs.

Jordan Eisner  
OK.
Yeah.

Sarah Reckling  
To be completed for each incident so, but it’s it’s very important.

Jordan Eisner  
Yeah.
Yeah, well, we’ll do another one then. So thank you for clearing that up for us, Sarah Reckling, and giving us detailed breakdown in the steps involved in not only HIPAA security risk assessment, but also privacy risk assessments that should be a result or shouldn’t be a result of a breach. No, I guess you could say that, yeah, should happen.
In response to an incident or a breach, especially with 500-plus records. So we appreciate your time. And for listeners and audience, if you like this sort of content, Please remember to subscribe, leave us a note, leave us a review, especially if there are specific topics maybe that you’re looking for us to cover.
And as a reminder, compliance pointers covers a variety of different regulatory compliance topics, but also information security and information privacy frameworks. And I would just say kind of cutting edge best practices in this round to help companies secure data and keep it private when it is required of them, so.
You can reach us at connect@compliancepoint.com and anywhere you can access CompliancePoint.com. So until then, thanks everybody and be well.

Sarah Reckling  
Thanks, Jordan.