Frank Ramage, who had read my July 24, 2011, blog entry, “Why Haven’t More Covered Entities Performed Risk Analysis?” asked whether HIPAA requires risk analysis of non-electronic PHI.
Thanks for asking. It’s a good question, because HIPAA does not explicitly require risk analysis except for Electronic Protected Health Information (“EPHI”). 45 Code of Federal Regulations (“C.F.R.”) § 164.308(a)(1) requires covered entities (and now as a result of the HITECH Act, business associates) to perform risk analysis, a required implementation specification under the Security Management Process standard. The Security Rule applies only to EPHI, so there is no explicit requirement for risk analysis for any other form of PHI.
But the Privacy Rule, which applies to all PHI regardless of form or format, requires appropriate administrative, physical, and technical safeguards to protect the privacy of PHI. 45 C.F.R. §530(c). And you cannot select “appropriate” safeguards without performing risk analysis. If you implement a security measure without a formal risk analysis, you are just guessing. And although DHHS has not come out and said so, I’d be willing to bet that, if one has a breach involving paper medical records and that breach was due, in whole or in part, to not having appropriate security, DHHS would consider that failure to be willful neglect, which ups any civil money penalty from $1,000 per violation to as much as $50,000 per violation. And DHHS cannot waive a fine based on willful neglect.
And whether you believe the above analysis requires risk analysis of paper records and oral communications, think how much less likely you are to have a breach if you have conducted a risk analysis and put appropriate risk management tools in place. Massachusetts General might have avoided the $1 million fine that it incurred when an employee left paper records secured only by a rubber band on a subway. A risk analysis would likely have put limitations on what data workforce members could take home, how to secure it, such as a locked, fire and waterproof briefcase, required appropriate training, and the like. Instructions as to how to transport the data could have been included in a work-at-home policy (such a sample policy is included on the HIPAA Documents Resource Center CD, 4th edition, which accompanies the Compliance Guide to HIPAA and the DHHS Regulations, 4th edition, both available elsewhere on this website) or a separate transportation of PHI policy.
I have required every client that I have taken through risk analysis to include all PHI in the analysis, not just EPHI, and I will not issue my EMR Legal (my consulting company) Certificate of HIPAA Compliance without performing risk analysis of paper, oral, and any other form or format of PHI.