The costs to providers for data breaches of personal health
information ("PHI") are dramatically on the rise.
The Department of Health and Human Services Office for Civil Rights
("OCR"), the government entity in charge of
administrating and enforcing the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") and the Health
Information Technology for Economic and Clinical Health Act
("HITECH"), has been aggressively investigating and
prosecuting providers for potential violations of the HIPAA.
In April, for example, OCR settled with Phoenix Cardiac Surgery,
P.C., of Phoenix and Prescott, Arizona ("PCS"), to the
tune of $100,000.00 for potential HIPAA violations.
Interestingly, among the issues uncovered by OCR's
investigation of PCS was a commonly overlooked HIPAA requirement:
failure to conduct a risk analysis. In the HIPAA
implementing regulations, the Centers for Medicare and Medicaid
("CMS") established a minimum standard of security of
electronic PHI ("e-PHI"), commonly known as the Security
Rule. Specifically, the Security Rule sets forth three
categories of safeguards-- administrative, physical, and
technical-- that must be implemented by providers to protect the
e-PHI of patients. The first step for a provider in
identifying and implementing safeguards that comply with and carry
out the standards and implementation specifications in the Security
Rule is conducting a risk analysis. "Risk
analysis" is defined under the Security Rule to be conducting
"an accurate and thorough assessment of the potential risks
and vulnerabilities to the confidentiality, integrity, and
availability of electronic health information held by the covered
The Security Rule does not prescribe a specific risk analysis
methodology, recognizing that the methods will vary with the size,
complexity, and capabilities of the provider. Instead, the
Security Rule identifies risk analysis as the foundational element
in the process of achieving compliance, and it establishes several
objectives that any methodology adopted must achieve.
However, the Office of the National Coordinator
("ONC") has published a Guide to Privacy and Security of
Health Information in which it provides additional guidance
to conducting a security risk analysis. Some of the questions
ONC suggests that providers ask include:
Have you identified the e-PHI within your organization? This
includes e-PHI that you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors
or consultants create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to
information systems that contain e-PHI?
Furthermore, OCR outlines elements that should be included in
the risk analysis that include considering the proper scope of
analysis, collection of data, identifying and documenting potential
threats and liabilities, assessing current security measures,
determining the likelihood of threat occurrence, determining the
potential impact of threat occurrence, determining the level of
risk, finalizing documentation, and periodically reviewing and
updating the risk assessment. Specifically, OCR offers
the National Institute of Standards and Technology
("NIST") recommendations and standards in NIST Special
Publication 800-30 as a good blueprint for steps to be applied in a
It is important to note that electronic health records vendors
are not responsible for compliance with HIPAA rules; providers
are! According to ONC, providers should conduct these audits
and use the information gleaned from their risk analysis to design
appropriate personnel screening processes, identify what data to
backup and how, decide whether and how to use encryption, address
what data must be authenticated in particular situations to protect
data integrity, and determine the appropriate manner of protecting
health information transmissions.
Conducting a risk assessment is the first step of an ongoing
HIPAA compliance plan. To comply with HIPAA, providers must
continue to review, correct or modify, and update security
protections of PHI. Therefore, to avoid the costly mistakes
of other providers like PCS, a HIPAA risk assessment should be in
your organization's plans to assure that it is adequately
protecting its patients' PHI.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.