The HIPAA Security Rule requires covered entities and business associates to complete a HIPAA Security Risk Analysis, and to periodically update it. Per industry standards, the Security Risk Analysis should be updated annually at the very minimum.
When investigating a breach, the OCR also reviews the organization’s compliance with the HIPAA Security Rule. One of the OCR’s top findings is the failure to conduct and/or update a comprehensive risk analysis.
In a recent interview, Lisa Pino, HHS OCR Director stated: “We are a law enforcement agency and we have to instill that sense of accountability when obligations of the law are not in compliance.” And that “hacking and IT incidents are still a growing threat.” She goes on to state that “this is really a time for organizations to bolster their security profile. This is an opportunity for them to reset and really establish, if not already, an enterprise-wide risk analysis instead of a reactive stance… an ongoing risk management is a must from a business perspective.”
Most entities failed OCR audit of risk analysis
Pino also referenced the OCR’s 2016-2017 HIPAA Audit Industry Report released in December 2020. She points out that the report provides valuable information that is still relevant today. In that report, the OCR found that only 14% of covered entities “are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”
For the 86% of covered entities who failed to meet risk analysis requirements, there were some common issues:
- “Some entities provided irrelevant documentation, such as a document that describes a patient’s insurance prescription coverage and rights; a document that discusses pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page.”
- "Providers commonly submitted documentation of some security activities of a third-party security vendor, but no documentation of any risk analysis that served as the basis of the activities.”
- "Entities offered third party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation."
If you have not conducted a HIPAA Security Risk Analysis, or if it has been more than one year since you have updated yours, that’s a big risk.
Perhaps as risky as driving a vehicle without insurance. Or eating the marshmallow casserole someone plopped down on the picnic table on a hot, sunny day four hours ago.
It’s not worth the risk.
Without a current HIPAA Security Risk Analysis, organizations do not know where their security risks are – which means they are likely unmitigated. Think of it as a data breach waiting to happen.
Every day, security risks in healthcare increase:
- According to IBM’s Cost of a Data Breach 2022, the healthcare industry has had the highest average data breach cost for 12 years in a row – and the average cost of a data breach in the healthcare industry is $10.10 million
- According to the 2022 SonicWall Cyber Threat Report, ransomware attacks decreased 23% globally in the first half 2022. But, in the healthcare industry, ransomware attacks increased by 328% during this timeframe.
What’s your HIPAA breach risk tolerance?
Do you update your HIPAA Security Risk Analysis at least annually, and mitigate risks you identify in a timely manner? If so, you have reason to sleep well at night. Keep up the good work.
Or, are you more of the dangerous-casserole-taster type, operating with an outdated HIPAA Security Risk Analysis – or, worse, none at all? If so, has your organization calculated the likelihood of experiencing a breach (very high), and the expected costs of a breach (also very high)?
MPA can handle your HIPAA Security Risk Analysis
The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.
