HIPAA Highlights: Assessing Risk via HIPAA and the HITECH Act

Editor's Note: This is the fifth in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.

In general, assessing risk, especially in relation to HIPAA and the HITECH Act, can be considered in terms of Enterprise Risk Management (ERM). According to the American Health Lawyers Association, ERM is "[a]n ongoing business-decision making process instituted and supported by a healthcare organization’s board of directors, executive administration, and medical staff leadership."[1] This goal is to assess and reduce synergistic risk across the continuum of care to increase the quality of care, optimize return on investment, and preserve assets.[2] A comprehensive risk assessment, which encompasses operational, financial, human capital, strategic, legal/regulatory, and technology arenas should be conducted both within the organization and with outside business associates.

The notion of assessing risk and establishing accountability processes is the fundamental premise of Section 6401 of The Affordable Care Act’s requirement for compliance programs.[3] "[A] provider of medical or other items or services or supplier within a particular industry sector or category shall, as a condition of enrollment in the program under title, title XIX, or title XXI, establish a compliance program that contains the core elements established under subparagraph (B) with respect to that provider or supplier and industry or category."[4] The CMS Manual includes compliance program guidelines and reflect an overall emphasis on effective prevention, detection, and correction of non-compliance, as well as identifying and curtailing fraud, abuse, and waste. Among the fundamental elements are:

• Written policies and procedures;
• Compliance Officer and Committee;
• Effective training and education;
• Communication protocol;
• Well-defined and notice of disciplinary standards;
• Monitoring and auditing system; and
• Response plan.[5]

While the ERM guidelines and compliance program guidelines can be used to assess risk broadly, when evaluating risk in relation to HIPAA, the related regulations and the HITECH Act, three specific assessments need to be conducted.

First, under the Security Rule, a security evaluation is required. As set forth in 45 C.F.R. §164.306, 308(a)(8), covered entities, business associates, and subcontractors are required to "[p]erform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security rule of electronic protected health information, that establishes the extent to which a covered entity or business associate’s security policies and procedures meet the requirements of this subpart." Notably, in the final rules, the HHS'  Office for Civil Rights (OCR) confirmed that business associates have responsibility for entering into written business associate agreements with their subcontractors.[6] Hence, this should be considered a first step in an ERM approach to HIPAA and the HITECH Act assessments.

Next, a risk assessment of express items is required under the Security Rule at 45 C.F.R. § 164.308(a)(a)(ii)(A) (specifying 45 C.F.R. §§310 and 312). In July 2010, OCR issued Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. This assessment is quite technical and, according to the OCR Guidance, would be ideally performed according to NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.[7]

Finally, a risk of harm assessment is required under the Breach Notification Rules. While this may be considered a responsive requirement, that is if an actual breach is identified then the requirement is triggered, an organization should address the implications and notification requirements as part of its larger ERM analysis.

In sum, conducting a risk assessment on an organizational level in accordance with a comprehensive compliance program can assist organizations in identifying the areas of noncompliance and potential liability, as well as efficiencies. Therefore, in relation to HIPAA and the HITECH Act, it is incumbent upon physicians to comply with each of the three requisite assessments and establish an effective ERM plan.

Rachel V. Rose would like to thank Bob Chaput, CISSP, CIPP-US, founder and CEO of Clearwater Compliance (Nashville, Tenn.) for his insights. Rachel and Bob collaborated on HIPAA Texas Style HB 300 .

[1] American Health Lawyers Association, Enterprise Risk Management Handbook for Healthcare Entities, Second Edition, p. 645 (2013).

[2]Ibid.

[3] 42 U.S.C. §1395cc(j)(8); see Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152) (amending the Patient Protection and Affordable Care Act of 2010 (Pub. L. 111-148) and known collectively as the Affordable Care Act (ACA).

[4]Id. at 8(A).

[5]See 75 Fed. Reg. 58204 (Sept. 23, 2012); and 76 Fed. Reg. 5862 (Feb. 2, 2011).

[6]See generally 45 C.F.R. § 164.306 – Administrative Safeguards. The inclusion of subcontractors within the scope of a business associate was identified in 75 Fed. Reg. 40868, 40882 (Jul. 14, 2010).

[7]http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf. See also, NIST SP800-66 for additional guidance.