Stethoscope laying on keyboard with HIPPA highlighted on green button.

Part B News recently highlighted findings from a recent HIPAA compliance Healthcare Industry audit review. Physician practices are not performing a security risk analysis to understand their risk areas. A security analysis is not only recommended for HIPAA compliance, but for reducing cybersecurity risks.

The audit, which was conducted in 2016 and 2017, included a wide range of covered entities: health care providers, health plans and health care clearinghouses, and practitioners made up more than 45% of the audited entities.

The report, released December 2020, found that only 14% of the audited providers and organizations met the requirements in HIPAA’s Security Rule regarding these risk analyses. Problems that the OCR identified included a failure to develop the policies and procedures needed to process a risk analysis, failure to conduct a risk analysis and failure to identify vulnerabilities that could threaten the confidentiality or integrity of its electronic patient protected health information (ePHI).

The OCR also found evidence of a fundamental failure to understand the risk analysis itself. For instance, the OCR received irrelevant documentation, such as patient insurance prescription coverage. Other audited organizations sent compliance template manuals created by third parties without evidence that the organization had customized or used the manual. A few organizations submitted the security activities that a security vendor conducted on the organization’s behalf but did not send the actual risk analysis that would have served as the basis for the vendor’s activities. 

Under HIPAA, your practice must conduct a risk analysis and then use the results to comply with other aspects of HIPAA’s Security Rule, such as identifying what data to back up and the appropriate manner of protecting transmissions of health information. The OCR considers the risk analysis to be “foundational.”

As a result, the OCR continues to collect settlements. The majority of settlements with the OCR involving breaches of ePHI stem from the failure to conduct an appropriate risk analysis that would have identified those threats and vulnerabilities.

Examples include Athens Orthopedics’ payment of $1.5 million in September 2020. The OCR’s investigation “discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates and provide HIPAA Privacy Rule training to workforce members,” according to the press release published Sept. 21, 2020.

 Moreover, a practice that does not conduct a HIPAA-compliant risk analysis will flunk participation in the Merit-based Incentive Payment System program (MIPS). MIPS requires participating physicians to attest that they conducted or reviewed an existing risk analysis as part of the promoting interoperability quality measure. A false attestation could trigger a repayment obligation or False Claims Act settlements.

Performing a comprehensive security analysis is a fundamental first step for HIPAA Security compliance. It also will assist in reducing or preventing cybersecurity attacks. There is an obvious cost/benefit to performing this critical risk analysis for your physician practice.