Last week I had the opportunity to present at the NC Public Health Associations Fall Education Conference on “The New Normal for HIPAA: Quality Improvement and Technology.” Now, I will confess, sitting down to conduct a Zoom conference in the middle of a pandemic from my (now no longer ‘new’) home office, it felt like utter hubris to claim foresight of what “normal” is going to look like in any sphere. After all, 2020 has taught us all something about the limitations of the human imagination when it comes to mid-season plot twists. There are some things, however, that we can rely on and for which we need to continue to prepare. Continued compliance with evolving Health Insurance Portability and Accountability Act (HIPAA) regulations is one such thing.
At the beginning of the Pandemic, the Secretary of the Department of Health and Human Services (“DHHS”) issued notices that it would not pursue sanctions against providers for violations of certain provisions of the Privacy Rule where providers and their business associates demonstrate a “good faith” effort at compliance during the course of the national Coronavirus Public Health Emergency. While this discretionary abeyance of penalties remains in place for violations that may occur during the course of the emergency, it does not apply to violations that occurred prior to the onset of the pandemic, neither does it apply to all covered entities or all parts of HIPAA regulations (excluding, for example, the Security Rule).
Indeed, while the end of the current public health crisis remains out of sight, the Office of Civil Rights (OCR), the agency within DHHS responsible for the enforcement of HIPAA Privacy and Security regulations, has recently signaled a return to regularly scheduled programming, publishing a slew of new settlements to enforcement actions over the past month (following a predictable lull during the onset of the crisis).
As usual, evaluation of these recent actions reflects OCR’s enforcement focus and operational priorities and there are two messages that are repeated loud, clear, and unequivocally. The first takeaway is the subject of this article: The importance and centrality of an organization’s security risk assessment.
THE INDISPENSABLE SECURITY RISK ASSESSMENT
A periodic security risk assessment is the required first step in the evaluation of an organization’s electronic protected health information (ePHI) assets and vulnerabilities and management of the same. The regularity and thoroughness of this evaluation is also the first evidence of an organization’s good faith efforts to meet its obligations to safeguard the confidentiality, integrity, and accessibility of the protected health information in its care. Failure to engage in an adequate risk assessment, or to update an assessment, is perhaps one of the most frequently cited violations in recent years of OCR enforcement actions.
A security risk assessment is the first step in risk management. You cannot be in compliance with the Security Rule without first having completed this step.
The purpose of the security risk assessment is to:
- Inventory ePHI assets and exchange pathways;
- Identify potential threats and vulnerabilities to the protected data;
- Assess the adequacy of existing protocols to protect data, and whether these compliance tools are used properly; and
- Determine the likelihood and impact severity of reasonably foreseeable threats. The Risk Assessment should thus prioritize risk areas, for an organization and layout the roadmap for addressing those risks.
The assessment is essentially the cornerstone of an organization’s annual HIPAA compliance plan.
Of course, an organization cannot foresee or forestall all risks. Many threats are outside of an organization’s immediate control. This is particularly true in our increasingly complex digital world.
Data breaches via cyber-attack are an increasingly common occurrence. Consider that in 2019 alone, an estimated 38 million health records were compromised by electronic data breaches, which represented a 20% increase since the previous year. That should make all stakeholders sit up and pay attention. After all, the Security Rule is an example of where a covered entity is not only responsible for its own actions and those of its agents and business associates, but also for the actions of third parties.
The Cautionary Tale of Athens Orthopedic
The recent settlement with Athens Orthopedic Clinic, PA, a mid-sized surgical practice in Athens Georgia, illustrates the importance of this lesson. Athens Orthopedic, among other providers, was the subject of a ransomware hacker attack in 2016 by the (notorious) hacking group “The Dark Overlord.”
Over 200,000 patient records, including social security numbers, were compromised and subsequently posted online after the attempt at extortion failed. The hackers continued to access and exfiltrate patient data for nearly a month after the practice first learned of the breach. The practice notified OCR of the breach and took steps to address the issue, however, an OCR audit of the clinic’s practices prior to the breach identified multiple, substantive alleged deficits.
First and foremost of those deficits were Athens Orthopedic’s failure to conduct a risk analysis. Additionally, they were cited for lack of consistent use of business associate agreements, lack of updated or adequate Privacy and Security policies and procedures, and lack of staff training. Last month, OCR announced a resolution of the matter, with the practice agreeing to pay $1.5 million and accepting a corrective action plan.
The allegations resulting from OCR’s investigations are, if true, egregious. The deficiencies of the practice represented, as OCR described, “longstanding, systemic noncompliance with the…Privacy and Security Rules.” This is, therefore, reflected in the size of the settlement (and presumably the scope of the corrective action plan).
While organizations with lax or sporadic security controls represent a prime target for cyber-attacks like Athens Orthopedic, when it comes to cybersecurity, no system is invulnerable. It is, therefore, all the more important to control what you can. Conducting a risk assessment, on a routine basis (at least annually) is the first step to exercise any control over your risk profile and operations. Exercise vigilance: identify vulnerabilities, take steps to mitigate threats, and document these efforts through your (routinely updated) risk analyses and security protocols.