OCR: Conduct Risk Analysis - Or ElseHIPAA Enforcer Emphasizes Importance of Assessments
As federal regulators ramp up HIPAA enforcement activities, including soon-to-be-restarted compliance audits, there is one clear and familiar theme that officials are still hammering home: You must conduct a comprehensive and timely risk assessment - or face the consequences.
In one of her first public appearances since taking on the role of the nation's top HIPAA enforcer, Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights - spotlighted the importance of conducting a timely risk assessment, as required under the HIPAA Security Rule, to pave the way for mitigating risks and avoiding breaches. Her remarks came during a Sept. 23 keynote presentation at the annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology.
"We continue to see a lack of comprehensive and enterprisewide risk analysis and risk management that leads to major breaches and other compliance problems," Samuels said. "That is why enforcement is a critical part of our arsenal of tools to ensure compliance. Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously."
When the OCR investigates a breach, Samuels said, "we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program."
Samuels also emphasized the importance of training the workforce to identify and respond appropriately to security incidents. That, she said, helps to "ensure that entities take the necessary steps to address and prevent future incidents and to mitigate harm to affected individuals."
Another OCR official reminded attendees at the conference - which took place exactly one year after enforcement of HIPAA Omnibus Rule went into effect - that OCR's pilot HIPAA compliance audit program of 115 covered entities in 2012 found that the lack of a HIPAA security risk analysis is the most common compliance shortfall.
"Two-thirds [of entities audited] did not do a risk assessment," said Linda Sanches, OCR senior adviser.
Business associates will be subject to HIPAA compliance audits in the next phase of the program, which will begin "in the near future," Sanches said earlier this month at another industry event.
Even if an organization is not chosen for a random audit, an OCR breach investigation can also uncover the lack of a thorough and timely security risk assessment, Sanches noted during the NIST/OCR conference.
And it's not necessarily the breach itself that will bring a potential financial penalty from OCR - it's what investigators find when they dig into the incident, she pointed out. "Did you have systems and a plan and tools in place to reduce risk? Did you do an assessment to mitigate risks?"
In response to an audience question about how frequently organizations should perform a comprehensive risk analysis, Sanches said assessments should be conducted "when there are changes in the environment ... new records management, new devices."
To boost information security programs beyond the requirements of HIPAA, Sanches also noted that the NIST cybersecurity framework provides healthcare organizations with a roadmap for "looking where you are now, and where you want to be."