AE July/August 2018 Vol 27 No 4 - 14

RUNNING THE PRACTICE // INFOTECH
XXXXXXX

SECURITY RISK ANALYSIS-

ANOTHER LOOK AT WHY PROVIDERS MIGHT MISS THE MARK
Jeanne S. Holden

A

quick look at enforcement actions reveals that
risk analysis is crucial to
successful compliance
with the HIPAA Security
Rule. This article builds
on "HIPAA, Hidden
Risks, and Security Risk Analysis" (July/Aug 2016 AE) and
helps clarify the confusion some
practices might experience when
trying to be in compliance.
RECURRING THEME
In February 2017, the U.S. Department of Health and Human
Services (HHS), Office for Civil
Rights (OCR), fined Children's
Medical Center of Dallas $3.2
million for impermissible disclosure
of unsecured electronic protected health information (ePHI)
and noncompliance. "Ensuring
adequate security precautions to
protect health information, including identifying any security risks
and immediately correcting them,
is essential," said then-Acting OCR
Director Robinsue Frohboese.
One year later, Fresenius Medical
Care North America agreed to
pay $3.5 million for failing to
implement risk management plans
and failing to deploy measures to
protect ePHI. "The number of
breaches [5], involving a variety of
locations and vulnerabilities, highlights why there is no substitute for
an enterprise-wide risk analysis for
a covered entity," said OCR Director Roger Severino.

14

AE // July/Aug 18

Inadequate risk analysis and
management are recurring themes
in HIPAA settlement and corrective
action plans. In fact, healthcare
providers sometimes think they
have met the risk analysis requirement when they have not. Below,
questions practices might consider
to avoid costly HIPAA fines.
THE REQUIREMENT
Security risk assessment (SRA) is
the first step in complying with
the HIPAA Security Rule. "Quite
simply, you cannot protect your
data against threats that you don't
know exist," said Cathy Bryant,
RN, CHPC, Manager, Product
Development and Consulting
Service, Texas Medical Liability
Trust. HIPAA requires covered
entities to "conduct an accurate
and thorough assessment of the
potential risks and vulnerabilities
to the confidentiality, integrity,
and availability of electronic protected health information held by
the [organization]."
Bryant emphasized the need to
act once risks are identified. The
Security Rule requires that covered
entities "implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and
appropriate level."
There are many ways to
perform an SRA, but no single
method guarantees HIPAA compliance. The National Institute of
Standards and Technology's Guide
for Conducting Risk Assessments

(SP 800-30) outlines examples of
steps the process might include.
Additionally, a risk analysis must
incorporate these elements regardless of method:1
* Define the scope
* Gather data
* Identify/document potential
threats and vulnerabilities
* Assess current security measures
* Determine the likelihood/potential impact of threats
* Determine the level of risk
* Finalize documentation
Yet the Security Rule does not
specify how often to perform
risk analysis. "Conducting an
SRA every 1-2 years is currently
best practice," advised Bryant. A
written policy and procedure detailing how your organization will
conduct an accurate and thorough
assessment as well as how it will
be periodically reviewed and
updated is required.
Most experts recommend an
update after any significant operational or environmental change
or security incident. According
to Kimberly L. Cappleman, an
attorney with Phelps Dunbar LLC
(Tupelo, Miss.), certain questions
can help a practice determine if
a new assessment is needed. For
instance, has your organization
* Added new healthcare components or information systems not
considered in previous SRAs?
* Executed appropriate business
associate agreements for all new
business associates?



Table of Contents for the Digital Edition of AE July/August 2018 Vol 27 No 4

AE July/August 2018 Vol 27 No 4 - Cover1
AE July/August 2018 Vol 27 No 4 - Cover2
AE July/August 2018 Vol 27 No 4 - 1
AE July/August 2018 Vol 27 No 4 - 2
AE July/August 2018 Vol 27 No 4 - 3
AE July/August 2018 Vol 27 No 4 - 4
AE July/August 2018 Vol 27 No 4 - 5
AE July/August 2018 Vol 27 No 4 - 6
AE July/August 2018 Vol 27 No 4 - 7
AE July/August 2018 Vol 27 No 4 - 8
AE July/August 2018 Vol 27 No 4 - 9
AE July/August 2018 Vol 27 No 4 - 10
AE July/August 2018 Vol 27 No 4 - 11
AE July/August 2018 Vol 27 No 4 - 12
AE July/August 2018 Vol 27 No 4 - 13
AE July/August 2018 Vol 27 No 4 - 14
AE July/August 2018 Vol 27 No 4 - 15
AE July/August 2018 Vol 27 No 4 - 16
AE July/August 2018 Vol 27 No 4 - 17
AE July/August 2018 Vol 27 No 4 - 18
AE July/August 2018 Vol 27 No 4 - 19
AE July/August 2018 Vol 27 No 4 - 20
AE July/August 2018 Vol 27 No 4 - 21
AE July/August 2018 Vol 27 No 4 - 22
AE July/August 2018 Vol 27 No 4 - 23
AE July/August 2018 Vol 27 No 4 - 24
AE July/August 2018 Vol 27 No 4 - 25
AE July/August 2018 Vol 27 No 4 - 26
AE July/August 2018 Vol 27 No 4 - 27
AE July/August 2018 Vol 27 No 4 - 28
AE July/August 2018 Vol 27 No 4 - 29
AE July/August 2018 Vol 27 No 4 - 30
AE July/August 2018 Vol 27 No 4 - 31
AE July/August 2018 Vol 27 No 4 - 32
AE July/August 2018 Vol 27 No 4 - 33
AE July/August 2018 Vol 27 No 4 - 34
AE July/August 2018 Vol 27 No 4 - 35
AE July/August 2018 Vol 27 No 4 - 36
AE July/August 2018 Vol 27 No 4 - 37
AE July/August 2018 Vol 27 No 4 - 38
AE July/August 2018 Vol 27 No 4 - 39
AE July/August 2018 Vol 27 No 4 - 40
AE July/August 2018 Vol 27 No 4 - 41
AE July/August 2018 Vol 27 No 4 - 42
AE July/August 2018 Vol 27 No 4 - 43
AE July/August 2018 Vol 27 No 4 - 44
AE July/August 2018 Vol 27 No 4 - 45
AE July/August 2018 Vol 27 No 4 - 46
AE July/August 2018 Vol 27 No 4 - 47
AE July/August 2018 Vol 27 No 4 - 48
AE July/August 2018 Vol 27 No 4 - 49
AE July/August 2018 Vol 27 No 4 - 50
AE July/August 2018 Vol 27 No 4 - 51
AE July/August 2018 Vol 27 No 4 - 52
AE July/August 2018 Vol 27 No 4 - 53
AE July/August 2018 Vol 27 No 4 - 54
AE July/August 2018 Vol 27 No 4 - 55
AE July/August 2018 Vol 27 No 4 - 56
AE July/August 2018 Vol 27 No 4 - 57
AE July/August 2018 Vol 27 No 4 - 58
AE July/August 2018 Vol 27 No 4 - 59
AE July/August 2018 Vol 27 No 4 - 60
AE July/August 2018 Vol 27 No 4 - 61
AE July/August 2018 Vol 27 No 4 - 62
AE July/August 2018 Vol 27 No 4 - 63
AE July/August 2018 Vol 27 No 4 - 64
AE July/August 2018 Vol 27 No 4 - 65
AE July/August 2018 Vol 27 No 4 - 66
AE July/August 2018 Vol 27 No 4 - 67
AE July/August 2018 Vol 27 No 4 - 68
AE July/August 2018 Vol 27 No 4 - Cover3
AE July/August 2018 Vol 27 No 4 - Cover4
https://www.nxtbook.com/ygsreprints/ASOA/ae_sept_aug_20
https://www.nxtbook.com/ygsreprints/ASOA/ae_july_aug_20
https://www.nxtbook.com/ygsreprints/ASOA/ae_may_jun_20
https://www.nxtbook.com/ygsreprints/ASOA/ae_mar_apr_20
https://www.nxtbook.com/ygsreprints/ASOA/ae_jan_feb_20
https://www.nxtbook.com/ygsreprints/ASOA/ae_nov_dec19
https://www.nxtbook.com/ygsreprints/ASOA/ae_septoct19
https://www.nxtbook.com/ygsreprints/ASOA/g107843_ae_julyaug19
https://www.nxtbook.com/ygsreprints/ASOA/g105962_ae_mayjun19
https://www.nxtbook.com/ygsreprints/ASOA/g104576_ae_marapr19
https://www.nxtbook.com/ygsreprints/ASOA/g103212_ae_janfeb19
https://www.nxtbook.com/ygsreprints/ASOA/g99529_ae_novdec18
https://www.nxtbook.com/ygsreprints/ASOA/g97160_ae_septoct18
https://www.nxtbook.com/ygsreprints/ASOA/g96528_ae_julyaugust18
https://www.nxtbook.com/ygsreprints/ASOA/g93925_ae_mayjune18
https://www.nxtbook.com/ygsreprints/ASOA/g92298_ae_marapr18
https://www.nxtbook.com/ygsreprints/ASOA/g89361_ae_janfeb18
https://www.nxtbook.com/ygsreprints/ASOA/g86698_ae_novdec17
https://www.nxtbook.com/ygsreprints/ASOA/g81746_ae_septoct17
https://www.nxtbook.com/ygsreprints/ASOA/g80299_ae_julaug17
https://www.nxtbook.com/ygsreprints/ASOA/g77256_ae_mayjun17
https://www.nxtbook.com/ygsreprints/ASOA/g74401_ae_marapr17
https://www.nxtbook.com/ygsreprints/ASOA/g72340_ae_janfeb17
https://www.nxtbook.com/ygsreprints/ASOA/ae_novdec16
https://www.nxtbook.com/ygsreprints/ASOA/ae_septoct16
https://www.nxtbook.com/ygsreprints/ASOA/ae_julaug16
https://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2016
https://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2016
https://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb16
https://www.nxtbook.com/ygsreprints/ASOA/ae_novdec15
https://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct15
https://www.nxtbook.com/ygsreprints/APTA/g52750_apta_25ada
https://www.nxtbook.com/ygsreprints/ASOA/asoa_julyaug2015
https://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2015
https://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2015
https://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb15
https://www.nxtbook.com/ygsreprints/ASOA/asoa_novdec14
https://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct14_AE
https://www.nxtbook.com/ygsreprints/ASOA/asoa_julaug14
https://www.nxtbook.com/ygsreprints/ASOA/ASOA_MayJunAE
https://www.nxtbook.com/ygsreprints/ASOA/ASOA_MarAprAE
https://www.nxtbook.com/ygsreprints/ASOA/ASOA_JanFebAE
https://www.nxtbook.com/ygsreprints/ASOA/ASOA_no4eZine
https://www.nxtbook.com/ygsreprints/ASOA/asoa_fall_2013
https://www.nxtbook.com/ygsreprints/ASOA/asoa_no3_ezine
https://www.nxtbook.com/ygsreprints/ASOA/asoa/asoa_summer_2013
https://www.nxtbook.com/ygsreprints/ASOA/ehr_cust_survey_Apr2013
https://www.nxtbook.com/ygsreprints/ASOA/asoa_no2_2013_ezine
https://www.nxtbookmedia.com