Long-time readers of my blog are probably sick of my preaching the importance of a HIPAA risk analysis in HIPAA compliance. And I’m not going to stop for two reasons: (1) because failure to do (and update) a risk analysis is the single biggest cause of civil money penalties (“CMPs”), which are often in the seven-figure range, and (2) because, although I have been unable to find any statistics on it, I am absolutely convinced that well over half of all covered entities and business associates have not conducted one or, if they have, they have not updated it periodically (remember Blue Cross/Blue Shied of Tennessee’s $1.5 million settlement in lieu of a CMP and $17 million in remediation costs for failure to update their risk analysis when they moved into a new leased building). My support for my belief comes from my informal polls when I gave HIPAA seminars and fewer than 10 percent of the attendees had done one. And often those who had done so were those who had previously attended one of my seminars and got the value of it!
And my co-author on our forthcoming book, HIPAA in the Digital Age, Joe Borich, who also gives HIPAA seminars, believes that the paucity of risk analyses and the general lack of interest in HIPAA compliance is due, in part, to neither Congress’s nor DHHS’s having updated the law or the regulations in five years.
Another factor may be in play, as well. That is, covered entities and business associates have not done a risk analysis of the threat of not having taken HIPAA seriously and getting and staying compliant. Instead, they make some assumptions and decide that HIPAA compliance past some minimum isn’t a priority.
Those mistaken assumptions and my take on them are as follows:
- The folks at DHHS aren’t really enforcing HIPAA much, and to the extent that they are, they are unlikely to zero in on us. Although it is true that it took some years before DHHS started imposing civil money penalties or accepting settlements in lieu thereof, they are picking up the enforcement the longer that HIPAA is in effect A document from DHHS’s HIPAA for Professionals titled “Enforcement Highlights” notes that, as of June 30, 2018, “OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of $78,829,182.00. OCR has investigated complaints against many different types of entities, including [these]: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.” See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
- The folks at DHHS are only going after the “big boys,” not small practices like ours. If the language in the above bullet—“small provider offices”—doesn’t knock out this assumption, consider the $50,000 settlement that Hospice of North Idaho paid for not having conducted an adequate risk analysis to safeguard patient electronic protected health information (“EPHI”). How big was that covered entity?
- We are so overregulated with Medicare compliance, OSHA, employment law, and the like that we can’t comply with everything. Mr. Borich and I are certainly very sympathetic with this aspect of the problem, but have you done a risk analysis of these compliance issues to determine which ones you must focus on and which ones you can let slide a little bit? Or are you just guessing?
- HIPAA compliance is too expensive. Yes, it can be, but if you go about it correctly, it need not be. Risk analysis is the process of selecting reasonable and appropriate cost-effective security measures by balancing the cost of the security measure against the cost of the harm that would occur if the security measure were not implemented. HIPAA allows you to consider cost in deciding on security measures. Under 164.306 Security standards: General rules, (b) Flexibility of approach, (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (iii) The costs of security measures. I guarantee that Blue Cross/Blue Shield of Tennessee would not have spent anywhere near $18.5 million to do a risk analysis of the physical security of the new leased building and to implement, say, better locks, security cameras, an alarm system, and maybe even a security guard. The author performed a risk analysis of a hospital and, aside from his $2,000 consulting fee, the hospital only spent $200 for an improved lock on one storeroom that contained paper PHI. The risk analysis confirmed that their other physical and technical security measures were HIPAA compliant. They were deficient, however, in having all the required policies, but with my sample templates that were included in the package, that step really didn’t cost anything but some time adopting them. The author would venture to say that perhaps as high as 90 percent of the risks can be handled by controlling behavior by adopting and enforcing a policy. And if $2,000 had been too much, they could have purchased my Risk Analysis ToolKit, done it themselves, and had me review it for $5oo. It’s available at http://www.veteranspress.com/product/hipaa-risk-analysis-toolkit.
- HIPAA is too complicated. How do we know what’s a reasonable and appropriate security measure? Yes, as written, HIPAA is confusing at best. But a wealth of tools exist to help eliminate the confusion and make HIPAA understandable, including the author’s books and compliance tools, available at http://www.veteranspress.com/products/hipaa-hitech-compliance-tools.
- We don’t have an electronic health record, so HIPAA doesn’t apply to us. Actually, it is immaterial whether you have electronic or paper charts. What matters is whether, stated simply, you bill electronically (or your billing service does). The proper way to say it is, if you are a health care provider, whether you transmit one or more of the standard transactions, which are mostly billing transactions, in electronic format. 45 C.F.R. § 160.103(c). The standard transactions are listed at 45 C.F.R. Part 162.
Realizing that none of those assumptions work, you need to decide whether you are going to get into (1) full compliance, (2) partial compliance, which the author defines as complying with those standards and implementation specifications that are very visible and likely to result in a breach or complaint that leads to a CMP or damages from a lawsuit, (3) minimal compliance, where you have a notice of privacy practices and a little half-hearted training, or (4) no compliance.
So what should your risk analysis of the risk of noncompliance look like? My model for risk analysis stresses the probability and criticality of the risk. DHHS does not specify how to do it other than specifying what you may consider. Those four factors are these:
(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information [(“EPHI”)].
I use a chart to help decide this last factor. On the vertical axis, as you go up, the probability of the risk happening increases. On the horizontal, as you go to the right, the risk becomes more critical―that is, in other words, more harmful. So that scenario gives four quadrants. In the upper right, the probability is high and the harm is high. On the upper left, the probability is high, but the harm is not great. On the bottom right, the probability is low, but the harm is high. And in the bottom left, both the probability and the harm are low. Now in which quadrant are you going to put the bulk of your presumably limited resources? High and high! That doesn’t mean that you will necessarily ignore a risk in the low probability but high harm quadrant if, say, the risk is huge—that is, for example, say, you get a seven-figure CMP, have to spend seven figures in remediation costs, lose your accreditation, and go bankrupt. That possible result might be worth some expenditure for security even if it is unlikely to happen.
Let’s think about this risk analysis for your practice. It certainly will not be easy to quantify how likely it is that you will incur a large CMP (“CMP”). If there have only been 55, out of the thousands of covered entities and business associates, that would seem to indicate that there is a low probability of your incurring such a penalty. But CMPs aren’t the only risk of non-compliance. One can certainly have a breach that does not lead to a CMP, but that does incur large remediation costs. Remember, again, Blue Cross/Blue Shield of Tennessee, whose $1.5 million CMP paled next to the $17 million in remediation costs. The average cost of a breach is $225 per record compromised. If you lost an unencrypted laptop with 100 charts on it, that’s $22,500, but multiply that by 10, and think about that cost. And perhaps, Blue Cross/Blue Shield of Tennessee could handle a seven-figure hit for breach mitigation and a CMP more easily than your smaller operation could. And one study found that 89 percent of health care entities suffered a breach in 2016. See Healthcare IT News, Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data at https://www.healthcareitnews.com/news/ponemon-89-percent-healthcare-entities-experienced-data-breaches. As a result, it will be hard to say that the probability of harm from failure to perform a risk analysis and implement reasonable and appropriate security measures is low or very low.
And you must consider the nature of the practice. A mental and behavioral health practice faces more liability for harm to clients from a breach of medical information than does a podiatrist unless, say, the latter is the podiatrist for a professional sports franchise. But don’t forget that all types of practices may have sensitive financial data, which constitutes protected health information (“PHI”), and it may be more at risk than clinical data. I have a hard time envisioning a risk analysis of whether to be HIPAA compliant that found the criticality of a breach to be low or very low.
Thus, if the probability is high or very high and the criticality—that is, the degree of harm—is also high or very high, the risk analysis of noncompliance would seem to weigh heavily towards full compliance. Add in that compliance is not all that costly, and it would seem that compliance would be reasonable and appropriate. Or in the words of Inspector Callahan in the “Dirty Harry” movie, “Do you feel lucky?”
Alice here: To make sure that your risk analysis (and every update thereof) will actually help you if you get audited by DHHS, the risk analysis must be in writing. To make sure that you can find it, keep your risk analysis, along with the rest of the proof of your HIPAA compliance, stored in Your Happy HIPAA Book, available at http://www.veteranspress.com/product/your-happy-hipaa-book. I would get two copies of the three-ring binder which has tabs for everything that you need to prove your HIPAA compliance and a thorough checklist behind every tab so that you know when you have actually achieved the level of HIPAA compliance that your risk analysis has shown that you need to achieve. Keep one completed copy at home, and keep the other completed copy on the bookshelves behind your desk at work so that all you have to do, after you have managed to get your heart started again when DHHS comes calling, is pull the notebook down off the shelf and hand it to DHHS as written documentation of your HIPAA compliance. Yes, I know that I am always trying to sell you something in Jon’s blog items. Forgive me, but as some of you have heard me say in my live seminars and on my webinars, I see our job as CYA: cover your assets. We want to help keep you from getting that free trip to Leavenworth (I used to live five blocks from the federal penitentiary there, and trust me, you do not want to end up behind those bars) and from getting that very expensive trip to your bank to have a cashier’s check for seven-figures written out of your account and made payable to DHHS. Please complete your risk analysis as soon as possible and write down your results.