AE July/August 2018 Vol 27 No 4 - 14

RUNNING THE PRACTICE // INFOTECH
XXXXXXX

SECURITY RISK ANALYSIS-

ANOTHER LOOK AT WHY PROVIDERS MIGHT MISS THE MARK
Jeanne S. Holden

A

quick look at enforcement actions reveals that
risk analysis is crucial to
successful compliance
with the HIPAA Security
Rule. This article builds
on "HIPAA, Hidden
Risks, and Security Risk Analysis" (July/Aug 2016 AE) and
helps clarify the confusion some
practices might experience when
trying to be in compliance.
RECURRING THEME
In February 2017, the U.S. Department of Health and Human
Services (HHS), Office for Civil
Rights (OCR), fined Children's
Medical Center of Dallas $3.2
million for impermissible disclosure
of unsecured electronic protected health information (ePHI)
and noncompliance. "Ensuring
adequate security precautions to
protect health information, including identifying any security risks
and immediately correcting them,
is essential," said then-Acting OCR
Director Robinsue Frohboese.
One year later, Fresenius Medical
Care North America agreed to
pay $3.5 million for failing to
implement risk management plans
and failing to deploy measures to
protect ePHI. "The number of
breaches [5], involving a variety of
locations and vulnerabilities, highlights why there is no substitute for
an enterprise-wide risk analysis for
a covered entity," said OCR Director Roger Severino.

14

AE // July/Aug 18

Inadequate risk analysis and
management are recurring themes
in HIPAA settlement and corrective
action plans. In fact, healthcare
providers sometimes think they
have met the risk analysis requirement when they have not. Below,
questions practices might consider
to avoid costly HIPAA fines.
THE REQUIREMENT
Security risk assessment (SRA) is
the first step in complying with
the HIPAA Security Rule. "Quite
simply, you cannot protect your
data against threats that you don't
know exist," said Cathy Bryant,
RN, CHPC, Manager, Product
Development and Consulting
Service, Texas Medical Liability
Trust. HIPAA requires covered
entities to "conduct an accurate
and thorough assessment of the
potential risks and vulnerabilities
to the confidentiality, integrity,
and availability of electronic protected health information held by
the [organization]."
Bryant emphasized the need to
act once risks are identified. The
Security Rule requires that covered
entities "implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and
appropriate level."
There are many ways to
perform an SRA, but no single
method guarantees HIPAA compliance. The National Institute of
Standards and Technology's Guide
for Conducting Risk Assessments

(SP 800-30) outlines examples of
steps the process might include.
Additionally, a risk analysis must
incorporate these elements regardless of method:1
* Define the scope
* Gather data
* Identify/document potential
threats and vulnerabilities
* Assess current security measures
* Determine the likelihood/potential impact of threats
* Determine the level of risk
* Finalize documentation
Yet the Security Rule does not
specify how often to perform
risk analysis. "Conducting an
SRA every 1-2 years is currently
best practice," advised Bryant. A
written policy and procedure detailing how your organization will
conduct an accurate and thorough
assessment as well as how it will
be periodically reviewed and
updated is required.
Most experts recommend an
update after any significant operational or environmental change
or security incident. According
to Kimberly L. Cappleman, an
attorney with Phelps Dunbar LLC
(Tupelo, Miss.), certain questions
can help a practice determine if
a new assessment is needed. For
instance, has your organization
* Added new healthcare components or information systems not
considered in previous SRAs?
* Executed appropriate business
associate agreements for all new
business associates?



Table of Contents for the Digital Edition of AE July/August 2018 Vol 27 No 4

AE July/August 2018 Vol 27 No 4 - Cover1
AE July/August 2018 Vol 27 No 4 - Cover2
AE July/August 2018 Vol 27 No 4 - 1
AE July/August 2018 Vol 27 No 4 - 2
AE July/August 2018 Vol 27 No 4 - 3
AE July/August 2018 Vol 27 No 4 - 4
AE July/August 2018 Vol 27 No 4 - 5
AE July/August 2018 Vol 27 No 4 - 6
AE July/August 2018 Vol 27 No 4 - 7
AE July/August 2018 Vol 27 No 4 - 8
AE July/August 2018 Vol 27 No 4 - 9
AE July/August 2018 Vol 27 No 4 - 10
AE July/August 2018 Vol 27 No 4 - 11
AE July/August 2018 Vol 27 No 4 - 12
AE July/August 2018 Vol 27 No 4 - 13
AE July/August 2018 Vol 27 No 4 - 14
AE July/August 2018 Vol 27 No 4 - 15
AE July/August 2018 Vol 27 No 4 - 16
AE July/August 2018 Vol 27 No 4 - 17
AE July/August 2018 Vol 27 No 4 - 18
AE July/August 2018 Vol 27 No 4 - 19
AE July/August 2018 Vol 27 No 4 - 20
AE July/August 2018 Vol 27 No 4 - 21
AE July/August 2018 Vol 27 No 4 - 22
AE July/August 2018 Vol 27 No 4 - 23
AE July/August 2018 Vol 27 No 4 - 24
AE July/August 2018 Vol 27 No 4 - 25
AE July/August 2018 Vol 27 No 4 - 26
AE July/August 2018 Vol 27 No 4 - 27
AE July/August 2018 Vol 27 No 4 - 28
AE July/August 2018 Vol 27 No 4 - 29
AE July/August 2018 Vol 27 No 4 - 30
AE July/August 2018 Vol 27 No 4 - 31
AE July/August 2018 Vol 27 No 4 - 32
AE July/August 2018 Vol 27 No 4 - 33
AE July/August 2018 Vol 27 No 4 - 34
AE July/August 2018 Vol 27 No 4 - 35
AE July/August 2018 Vol 27 No 4 - 36
AE July/August 2018 Vol 27 No 4 - 37
AE July/August 2018 Vol 27 No 4 - 38
AE July/August 2018 Vol 27 No 4 - 39
AE July/August 2018 Vol 27 No 4 - 40
AE July/August 2018 Vol 27 No 4 - 41
AE July/August 2018 Vol 27 No 4 - 42
AE July/August 2018 Vol 27 No 4 - 43
AE July/August 2018 Vol 27 No 4 - 44
AE July/August 2018 Vol 27 No 4 - 45
AE July/August 2018 Vol 27 No 4 - 46
AE July/August 2018 Vol 27 No 4 - 47
AE July/August 2018 Vol 27 No 4 - 48
AE July/August 2018 Vol 27 No 4 - 49
AE July/August 2018 Vol 27 No 4 - 50
AE July/August 2018 Vol 27 No 4 - 51
AE July/August 2018 Vol 27 No 4 - 52
AE July/August 2018 Vol 27 No 4 - 53
AE July/August 2018 Vol 27 No 4 - 54
AE July/August 2018 Vol 27 No 4 - 55
AE July/August 2018 Vol 27 No 4 - 56
AE July/August 2018 Vol 27 No 4 - 57
AE July/August 2018 Vol 27 No 4 - 58
AE July/August 2018 Vol 27 No 4 - 59
AE July/August 2018 Vol 27 No 4 - 60
AE July/August 2018 Vol 27 No 4 - 61
AE July/August 2018 Vol 27 No 4 - 62
AE July/August 2018 Vol 27 No 4 - 63
AE July/August 2018 Vol 27 No 4 - 64
AE July/August 2018 Vol 27 No 4 - 65
AE July/August 2018 Vol 27 No 4 - 66
AE July/August 2018 Vol 27 No 4 - 67
AE July/August 2018 Vol 27 No 4 - 68
AE July/August 2018 Vol 27 No 4 - Cover3
AE July/August 2018 Vol 27 No 4 - Cover4
http://www.nxtbook.com/ygsreprints/ASOA/ae_septoct19
http://www.nxtbook.com/ygsreprints/ASOA/g107843_ae_julyaug19
http://www.nxtbook.com/ygsreprints/ASOA/g105962_ae_mayjun19
http://www.nxtbook.com/ygsreprints/ASOA/g104576_ae_marapr19
http://www.nxtbook.com/ygsreprints/ASOA/g103212_ae_janfeb19
http://www.nxtbook.com/ygsreprints/ASOA/g99529_ae_novdec18
http://www.nxtbook.com/ygsreprints/ASOA/g97160_ae_septoct18
http://www.nxtbook.com/ygsreprints/ASOA/g96528_ae_julyaugust18
http://www.nxtbook.com/ygsreprints/ASOA/g93925_ae_mayjune18
http://www.nxtbook.com/ygsreprints/ASOA/g92298_ae_marapr18
http://www.nxtbook.com/ygsreprints/ASOA/g89361_ae_janfeb18
http://www.nxtbook.com/ygsreprints/ASOA/g86698_ae_novdec17
http://www.nxtbook.com/ygsreprints/ASOA/g81746_ae_septoct17
http://www.nxtbook.com/ygsreprints/ASOA/g80299_ae_julaug17
http://www.nxtbook.com/ygsreprints/ASOA/g77256_ae_mayjun17
http://www.nxtbook.com/ygsreprints/ASOA/g74401_ae_marapr17
http://www.nxtbook.com/ygsreprints/ASOA/g72340_ae_janfeb17
http://www.nxtbook.com/ygsreprints/ASOA/ae_novdec16
http://www.nxtbook.com/ygsreprints/ASOA/ae_septoct16
http://www.nxtbook.com/ygsreprints/ASOA/ae_julaug16
http://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2016
http://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2016
http://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb16
http://www.nxtbook.com/ygsreprints/ASOA/ae_novdec15
http://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct15
http://www.nxtbook.com/ygsreprints/APTA/g52750_apta_25ada
http://www.nxtbook.com/ygsreprints/ASOA/asoa_julyaug2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb15
http://www.nxtbook.com/ygsreprints/ASOA/asoa_novdec14
http://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct14_AE
http://www.nxtbook.com/ygsreprints/ASOA/asoa_julaug14
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_MayJunAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_MarAprAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_JanFebAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_no4eZine
http://www.nxtbook.com/ygsreprints/ASOA/asoa_fall_2013
http://www.nxtbook.com/ygsreprints/ASOA/asoa_no3_ezine
http://www.nxtbook.com/ygsreprints/ASOA/asoa/asoa_summer_2013
http://www.nxtbook.com/ygsreprints/ASOA/ehr_cust_survey_Apr2013
http://www.nxtbook.com/ygsreprints/ASOA/asoa_no2_2013_ezine
http://www.nxtbookMEDIA.com