Many health care organizations struggle to comply with required HIPAA regulations and many have forfeited important Merit-base Incentive Payment System (MIPS) incentive funds. Aligned Risk Management is here to ensure that every health care organization can affordably comply with HIPAA and MIPS. Below are four simple steps you can take today.
Visit our HIPAA site.
Call or email for a free HIPAA checkup.
Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
Have an easy conversation with our certified HIPAA professional and gain confidence about your current HIPAA and MIPS readiness, or find out what steps you can take to benefit your organization and patients.
Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
Federal HIPAA regulations and the advancing care information (ACI) category of MIPS require you to perform an audit-worthy security risk analysis and complete a risk management plan to become HIPAA and MIPS compliant. Aligned Risk Management will guide you through the process and provide you with the policy and procedure templates, tools, and materials necessary to comply with HIPAA, pass an audit, and receive the MIPS incentives you deserve.
Whether you are new to HIPAA or just need a refresher, you will find our HIPAA webinars informative and helpful. Join us as we share our HIPAA knowledge and experience, and answer your HIPAA questions.
A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.
Parts of a Risk Management Plan
Risk Response Plans
Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.
All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:
[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
The US Department of Health and Human Services defines a risk as:
The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.
Risks arise from legal liability or mission loss due to:
Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.
When a risk event occurs, it is no longer uncertain. It becomes an issue.
Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:
The risk level is calculated using three underlying components:
Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?
Likelihood × Impact − Controls ⇒ Risk Level
To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.
What projects have been completed in the past and what unexpected issues occurred?
What was the response of the organization?
What permanent changes were made? Were they justified?
Did the response cause a corresponding loss of business?
Did the response cause a corresponding loss of future projects?
Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:
Very Low: The event is highly unlikely to occur under regular circumstances.
Low: The event is unlikely but should be noted by the project team.
Medium: The event has a normal chance of occurring and the project team should be aware of it.
High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
Very High: The occurrence of the event should be actively managed and mitigation actions taken.
Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.
Theoretical risk. Unlikely to be a serious concern.
Vulnerability is very unlikely to be exercised, OR
Existing controls are highly effective at mitigating the risk, OR
Potential impact on security, privacy and availability of ePHI is low
Unlikely to be an immediate concern, especially in light of other, more severe risks.
Some likelihood that vulnerability could be exercised
Existing controls provide some effective mitigation of risk
Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.
Vulnerability is likely to be exercised
Existing controls provide inadequate mitigation of risk
Potential for significant impact on security, privacy or availability of ePHI
Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.
Vulnerability is very likely to be exercised or is currently being exercised
Existing controls provide little effective mitigation of risk
Potential for high or even catastrophic impact on security, privacy or availability of ePHI
A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?
What assumptions has the project budget made?
What assumptions has the project schedule made (completion date, milestones, etc.)?
What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
How many previous projects with similar components have been completed successfully? What were the project issues?
Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.
Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.
We’ll play defense so you don’t have to…
Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.
…but our process doesn’t stop with just a risk assessment.
It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.
Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.
HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.
And here are four steps to start out ahead this year….
1. Do SOMETHING.
There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.
“When eating an elephant take one bite at a time.”
Creighton Williams Abrams Jr.
I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.
2. Business Associate Agreements
I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).
Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.
As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?
Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.
Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.
Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.
Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!
4. Risk Assessment
Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.
Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.
And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.
Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and HITECH?
Classifying the entity
Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that “transmits any health information in electronic form in connection with a transaction covered by this subchapter” is considered a covered entity. Moreover, according to the 45 CFR §160.103(2)(ii)(3), “a covered entity may be a business associate of another covered entity.” In fact, CMS recognized that as a government agency, it is subject to HIPAA, the HITECH Act and related rules in an October 2012 report issued by the Office of the Inspector General, “CMS Response to Breaches and Medical Identity Theft.”
In turn, a business associate, as defined by the HIPAA Rules, is “a person who performs functions or activitieson behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information” (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.
Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.
Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA’s requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.
Patient access rights
The tension between patients wanting to have access to their health data from a medical device, which is implanted in them, and a medical device company is highlighted. According to a representative of a medical device maker quoted in the article, “Federal rules prohibit giving Ms. Hubbard’s data to anyone but her doctor and hospital. Our customers are physicians and hospitals.” In general, 45 C.F.R. §164.524, Access of Individuals to Protected Health Information, sets forth the parameters of the HIPAA Privacy Rule. Included in these standards are the circumstances for providing protected health information to a patient and exceptions. Nothing in the scenario of the PHI being transmitted from a patient’s implant to a medical device company, who would be classified as a business associate in this instance invokes an exception to deny the patient’s request.
Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements.” And, “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.
A Request for Proposal (RFP) is one of the best ways to find out what each HIPAA security risk assessment vendor has to offer your organization, provided you structure it properly
From the August 2004 Issue of HIPAA Security Compliance Insider.
Like many organizations, your organization may not have the resources to conduct a HIPAA security risk assessment that compares your technical and nontechnical security measures to HIPAA’s requirements. That’s where an outside security assessment vendor can help. It can identify and explain your security weaknesses and the potential threats and vulnerabilities to your electronic protected health information (EPHI). Plus, a security assessment vendor can give you advice on what security measures you should implement to comply with HIPAA’s security regulations and stay in business.
But how do you know which security assessment vendor is the best one for your organization? One good way is to put together a request for proposal (RFP) that you send to prospective HIPAA security risk assessment vendors. Creating an RFP for prospective vendors will help you focus your security assessment project. And it will give you a chance to review and compare prospective vendors’ written responses to questions tailored to your organization. “Done well, an RFP is an indispensable tool for visualizing a project; and it provides a concrete roadmap for your relationship with the vendor you select,” says information technology attorney Jay Hollander.
We’ll tell you the steps you should take to start the process of choosing the right HIPAA security risk assessment vendor, including how to set up an RFP. And to help you set up your own, we’ll give you a Model Form of an RFP that you can adapt and distribute to potential vendors.
Follow Three Steps to Start Your HIPAA Security Risk Assessment Vendor Selection Process
According to Hollander, choosing a vendor to perform a HIPAA security risk assessment should start with three steps.
Assess needs/scope of project. First you must identify what areas your HIPAA security risk assessment should include. Do you need an assessment of your physical access controls and security policies? Should the vendor conduct a penetration test of your internal and external networks to see how easily they can be breached? “Each organization’s needs will be different,” says information security consultant Earl Crane. For example, smaller organizations that don’t transfer EPHI over extranet connections probably won’t need a security assessment of their extranet, he explains.
Insider Says: For a list of the various areas an organization’s security assessment might need to cover, click here. You can use this list to help you identify your own needs so you can communicate them to prospective vendors.
Narrow list of vendors. Next, you will need to get a list of prospective vendors. To do this, you can search for security assessment vendors on the Internet or ask colleagues for recommendations. Narrow your list by considering the vendors’ experience, general pricing approach, and the services they provide, says Hollander.
Focus on vendors that have the ability to assess both your technical and nontechnical security, recommends Crane. To get a complete picture of your security practices, you will need a technical assessment and a policy assessment, preferably by the same vendor, he explains. “Look for a vendor with a good understanding of HIPAA’s security regulations, and a good technical reputation,” he adds.
Prepare RFP. Once you’ve narrowed your list of prospective vendors down to four or five, it’s time to create an RFP. Your RFP, like ours, should include the following provisions:
Purpose and goals. Begin your RFP with a brief explanation of the reason you’re seeking a HIPAA security risk assessment vendor and your goals for the assessment—that is, to identify and repair security gaps and comply with the HIPAA security regulations.
Proposal contact and method of evaluation. Give prospective vendors the name and contact information of a knowledgeable person in your organization to whom they can go for more information. And tell them who should receive the proposals and any additional information your organization might need [Form, sec. 2(a)]. Also tell them the factors that will affect your decision to accept a proposal. Explain that your consideration of the proposals will be based on more than cost, says Crane. This way, they’ll understand that they may be rejected even if they have the lowest bid.
Schedule. Vendors will also need a schedule that outlines the RFP process from beginning to end, including the date when:
Responses to the RFP are due;
Vendor interviews will be held;
Supplemental information must be received;
A decision will be made; and
The project should start and finish.
Organization information. To understand the scope of the project and price it appropriately, prospective vendors will need a basic description of your organization and the information systems it currently uses. Be sure to describe all hardware and software, and let prospective vendors know how many active IP addresses your organization uses.
Scope of project. Based on the needs assessment you conducted before you narrowed down your vendor list, define the scope of the project in your RFP. Be precise, says Crane. Otherwise, your vendors might not bid on the same project, resulting in service and pricing differences that could be hard to identify and compare. And ask your vendors to break down their costs and the amount of time they require for each type of assessment you list in your RFP, Crane adds.
Confused? That’s okay! Call Aligned Risk Management for help: