HIPAA Series: Part Three Risk Assessment Presented March 23, 2017 © 2017 Gilliland, Maguire & Harper, PC
NOTE: The materials and opinions presented by the speaker in this unit represent the speaker’s views only and do not necessarily represent those of Visiting Angels. The speaker’s materials are for educational and informational purposes only, are not intended to be legal advice and should not be used for legal guidance or to resolve specific legal problems. Moreover, the information on this topic is subject to your own respective state laws. In all cases, legal advice applicable to your state and your organization’s own specific circumstances should be sought. The information for this presentation was compiled in March 2017 and subject to future changes in laws.
HIPAA - Part Three Covered Entities Must Comply With: HIPAA Privacy Rule HIPAA Breach Notification Rule HIPAA Security Rule (requires risk assessment – today’s webinar) State laws that are more stringent than HIPAA requirements* *This webinar does not cover state law requirements!
Today’s Webinar Will Cover: Quick overviews of HIPAA Security Rule requirements Sample risk assessment approach and documentation Sample policies and procedures that help mitigate potential risks Links to online tools for understanding and meeting HIPAA’s security requirements
Why do a Risk Assessment? It’s the law! (HIPAA Security Rule) Provides a defense if legal action is brought and is necessary for HIPAA audit and investigation. Helps you and your employees work from the same page. Protects and builds client and public confidence in your operations and level of care.
HHS’ Audits and Investigations First question: Do you have your risk assessment documentation? The sample security policy on the ARC states that you conduct and document a thorough risk assessment. The sample security policy is NOT your risk assessment documentation You must do your own risk assessment and document it! WARNING: Submitting sample policies without thoroughly customizing them after your risk assessment could demonstrate you knew or should have known the law but did not comply!
How To Get Started? Do your (updated) risk assessment first! Use what you find to develop and implement reasonable and appropriate security measures and controls for your business. Use what you find to customize the sample privacy and security policies. Must have some understanding of IT. Document, document, document!
What Must Your Documentation Look Like? HIPAA Security Rule does not say what your documentation for your risk assessment should look like. It must address the Security Rule’s 18 Standards and 44 Implementation Specifications (See Sample Security Policy). HHS offers tools that can guide you through the Security Rule’s requirements. These tools are very helpful but not required nor intended to be the definitive guidance for your risk assessment. Third-party companies can perform and document your risk assessment, but their services are likely costly.
Links for Risk Assessment Tools Free download from HHS www.healthit.gov/providers-professionals/security-risk-assessment-tool Free download from NIST (National Institute of Standards and Technology) www.csrc.nist.gov/publications/nistpubls/800-66-Rev1/SP-800-66-Revision1.pdf
For Example Only: This webinar will show HHS’ paper-copy version of the Security Risk Assessment Tool. Printed: Administrative Safeguard questions = 205 pages Physical Safeguard questions = 115 pages Technical Safeguard questions = 139 pages Online version has the same questions and background information as the paper-copy version. Online version prints out a compact report when completed. HHS’ Security Risk Assessment Tool can seem cumbersome and redundant, but still helpful. This webinar cannot possibly cover all questions and answers.
Administrative Safeguards – First Q: Is “Yes” or “No” a Trick Question? (See sample policies, next slide.)
Conducting and documenting a risk analysis are your first sample policies. Questions A-1 through A-4 provide building blocks to add to your risk assessment decisions and policies. For example, you will be asked if you conduct periodic assessments, when and why. Questions A-5 through A-8 address Risk Management.
Administrative Safeguards – First Q: What should you write in the boxes? Your assessment of how your agency is meeting the security issue addressed in the question, your decisions and your rationale behind them. Sample “current activities” answer: “We started conducing an internal risk assessment on [insert date] to ensure our organization is taking reasonable and appropriate actions regarding the security of ePHI. Our goal is to complete our risk assessment by [insert date] to timely find and mitigate our security risks.”
Administrative Safeguards – First Q: Answer questions honestly with a goal for compliance moving forward. The point of the assessment tool is to learn HIPAA rules, find risks and mitigate those risks! Sample “additional notes” answers: “Our last risk assessment was completed [insert date].” [Or:] “No prior risk assessments were documented.”
Administrative Safeguards – First Q: Your remediation plan addresses how you intend to use what you find moving forward to mitigate security risks, if necessary. Sample “remediation plan” answer: “We will thoroughly document our risk assessments now and in the future with the help of available HIPAA tools and resources. We will then use our findings to update and implement policies and procedures to detect, contain and correct security violations. We will train workforce members in a timely manner about the same. “ [See sample security policy, Appendix C-2].
Administrative Safeguards – First Q: Both the HHS and NIST Security Risk Assessment Tools want you to rate your risks. Suggestions for how to set up your rating systems are provided with each tool. The next four slides offer suggestions for how you can determine and document your threats and vulnerabilities, and how you will rate the likelihoods, impacts and overall security risks for those identified threats as they apply to each question you answer.
Determine/Document Threats and Vulnerabilities What threatens the Confidentiality, Integrity and Availability of your ePHI? For example: Natural Threats: - Strong Storms, Wind, Lightning (damage to property, utilities, services, HVAC equipment, physical access, power grid, computing and network systems) - Earthquake, Flood (damage to office building, services and utilities, etc.) Intentional Threats: - Theft - Cyberattack - Unauthorized use or disclosure because of malice, revenge, financial gain - Unauthorized use or disclosure because of curiosity. - Vandalism or sabotage. Unintentional Threats: - Lost devices that store or access ePHI. - Unintentional worker/vendor errors; spouses, children seeing ePHI. - System errors/vulnerabilities due to age of system, Internet outages, etc.
Likelihood of Threat or Vulnerability (sample) For HIGH likelihood: The threat source is highly motivated and sufficiently capable. Controls to prevent the vulnerability from being exercised are not in place yet or are ineffective. For MEDIUM likelihood: The threat source is motivated and capable. Controls are in place that may impede successful exercise of the vulnerability. For LOW likelihood: The threat source lacks motivation or capability, or controls are in place to prevent or at least significantly impede, the vulnerability from being exercised.
Impact of Threat or Vulnerability (sample) For HIGH impact: If threat occurs, the impact could significantly compromise the confidentiality, integrity or availability of clients’ ePHI; result in high costly loss of major tangible assets or resources; or significantly violate, harm or impede our agency’s mission, reputation or interests. For MEDIUM impact: If threat occurs, the impact could compromise the confidentiality, integrity of availability of clients’ ePHI; result in costly loss of tangible assets or resources; or violate, harm or impede our agency’s mission, reputation interests. For LOW impact: If threat occurs, the impact could noticeably affect the confidentiality, integrity or availability of clients’ ePHI; result in the loss of some tangible assets or resources; or noticeably affect the agency’s mission, reputation or interests.
Overall Risk Ratings (sample) For HIGH risk: If we rate an overall risk as high, we will develop and implement corrective measures as soon as possible. For MEDIUM risk: If we rate an overall risk as medium, we will develop and implement corrective measures within a reasonable period of time. For LOW impact: If we rate an overall risk as low, we will determine whether corrective measures are necessary or decide to accept the risk. Be sure to document your rationale for your risk rating decisions.
Things to Consider to Help Answer Questions “Things to consider” section attempts to provide sufficient background information about HIPAA requirements for you to answer the question. Don’t worry if the information in this section seems redundant or confusing. Concentrate on what the question is asking in terms of your business.
Things to Consider to Help Answer Questions “Examples of Safeguards” may also provide language for you to use to answer questions.
Have Sample Policies When Assessing Risks The sample privacy, breach and security policies available on the ARC can help you with your risk assessment Read all sample policies thoroughly before beginning your assessment. Read all sample appendixes, too. Review your employment policies, job descriptions and HIPAA training materials. Have all of these materials available when answering your risk assessment questions. Update and customize your written materials as you go through the risk assessment tool.
Carefully Assess “Addressable” Specifications Questions that are “addressable” require special attention. You will likely need to explain your risk assessment in your security policies and procedures. For example questions A-31 through A-33 ask about the sample security policies for “Access Authorization,” which the sample policies cover at iv. Information Access Management, subparagraphs (3) and (4). Sample security policies for “Access Authorization” state that a formal workforce access clearance procedure is unnecessary. “For a more detailed explanation for how this determination was made, see, Appendix G, Assessments.” Next slide shows sample documentation supporting the sample security policy.
Sample Documentation for Addressable Specification Appendix G – AS 1 for Access Authorization: Requirement: Implement policies and procedures for granting workforce access to electronic protected health information (”ePHI”). In lieu of having a formal workforce access clearance procedure before access can be obtained, our policy is as follows: Policy: Each worker is responsible for complying with our policies and procedures that address their roles and responsibilities for protecting ePHI, plus: Minimum Necessary Security controls for online access Security controls for physical access Procedure: Our workers are granted access to our systems containing ePHI based on need to perform job duties. Our Security Officer has assessed risks for each job role and has determined and implemented reasonable and appropriate access authorization protocols and controls that are communicated to each employee in orientation training and subsequent trainings as necessary, in written policies and, for some employees, in their job descriptions.
Look For Security Concerns in Each Question For example, Question A-22: “Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?” Security concern is whether your employees understand their role in securing ePHI. How are you making them personally responsible for securing ePHI? Your designated Security Officer’s qualifications should include familiarity with IT, and the job description should state that he or she is responsible for developing and implementing the organizations HIPAA security policies and procedures as part of his or her primary job duties. Must you list HIPAA compliance as a job duty in all other job descriptions? Assess whether this is necessary for each job category. You may decide “Yes” for management members who have more access to ePHI but “No” for caregivers. If you decide “No,” explain your rationale (i.e. your HIPAA training regarding “minimum necessary” is sufficient to ensure your employees understand their compliance requirements).
Drill Down in Your Risk Documentation For example, how do you protect ePHI sent to caregivers’ personal phones? Currently, your telephony vendor sends the clients’ full names and addresses to caregivers’ personal cell phones in an unencrypted message. What should you document? Identify specific risks: Phone can get lost or stolen. Unauthorized access by other users of caregivers’ phones during off-duty hours (i.e., spouse or children). Develop and implement specific security mitigation measures and policies: Have vendor send only initials and street address (minimum necessary). Have policy that requires appropriate passwords on personal phones. Have policy that requires caregivers to delete vendor’s messages upon arrival at a client’s home. Have policy prohibiting unauthorized users accessing client data on personal phones -- or -- initiate encryption of ePHI. Have policy that has prompt responses for lost or stolen phones (i.e., wipe phone data clean if concerned ePHI is still on the phone; report situation to appropriate authorities for possible recovery; follow breach notification rules and procedures).
Don’t Let Your Risk Assessment Intimidate You Remember: Your responses to your risk assessment findings simply need to be reasonable and appropriate for your specific business. Do not use sample policies without customizing them for your business. There is no perfect way to prevent all risks! You just need to mitigate them! There is no perfect way to document your risk assessment! You just need to address the all requirements to the best of your abilities! When in doubt, seek knowledgeable advice.
Congratulations! You have made it through Part 3 of this HIPAA webinar series You will soon have your risk assessment and custom policies and procedures completed You will be ready to respond to legal challenges, if necessary Your annual risk assessments will become much easier Your clients will appreciate your efforts at securing and protecting their information Your workers will appreciate your efforts to teach them their roles and responsibilities in securing and protecting clients’ information
Q&A 10293 N. Meridian St., Suite 300 Indianapolis, Indiana 46290 Toll Free: 800-894-1243 www.GillilandLawFirm.com E-Mail: thefirm@gillilandlawfirm.com © 2017 Gilliland, Maguire & Harper, PC