HIPAA Basics: Guide to Security Risk Assessments (SRA), Breach Notifications
HIPAA requires businesses hosting sensitive information to "maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (Electronic Personal Health Information)."
Administrative safeguards include training employees on proper procedures for accessing and handling sensitive information and other onsite data access. Business Associate Agreements (BAA) are also covered under administrative safeguards, which ensures that any third parties who may host protected information do so safely.
Technical safeguards include encrypting sensitive data, ensuring data is not transmitted over a network, and implementing authentication systems to ensure the right person is accessing sensitive information.
Physical safeguards are measures such as password protecting computers containing e-PHI, proper disposal of devices that held patient records and limiting access to areas housing this data.
What is the HIPAA SRA Tool?
In October of 2019, the Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released version 3.1 of the Security Risk Assessment Tool (SRA).
What does HIPAA's SRA tool do?
This downloadable tool acts as a preliminary risk assessment guide for small to medium healthcare providers. The HIPAA Security Rule mandates that providers conduct periodic risk assessments of their assets. While using the SRA Tool does not automatically make users HIPAA compliant nor 100 percent secure, it does assist them in identifying problematic aspects in their infrastructure, protocols and processes.
The tool is an independent application that stores the data locally only. It asks the user a number of simple questions related to existing HIPAA requirements. The user's answer to each question should help them determine if they must take action on the issue in question or not. Moreover, the tool allows providers to document additional comments and measures that will be taken to address any deficiencies.
How are HIPAA's SRA questions developed?
The SRA Tool questions are gathered from a number of resources, the first and most important of which is the HIPAA Security Rule itself. Furthermore, questions are also based on a number of National Institute of Standards and Technology (NIST) publications and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Why should you use the SRA tool?
The SRA Tool is a great asset to have in your toolkit. Aside from it being an affordable starting point for small and medium providers, it is a user friendly way to identify potential vulnerabilities and threats to ePHI. Results of risk assessments are color coded and easy to understand. Moreover, it allows providers to assess all software and hardware involved with sensitive health records, including vendors and business associates. The SRA Tool can be used to conduct routine checks per the provider's needs.
3 useful features of the SRA tool for HIPAA compliance
The tool takes into consideration that some terms may be unclear or require further information for the user to understand. Accordingly, in the event that users are unsure of what a word means, if it is underlined and in blue, they may click on it for clarification.
The SRA Tool asks users a series of questions relating to their implementation of standards mandated by HIPAA. It divides the questions into seven sections including:
Security Policies, Procedures, & Documentation
Security & Your Workforce
Security & Your Data
Security & Your Practice
Security & Your Vendors
After each section, the Tool prompts the user to select potential vulnerabilities and rate threats in terms of potential impact. This pool of data is then used to determine the provider or BA's risk level with regard to that specific section.
At the end of the risk assessment, the Tool reveals a report that highlights any risk indications. The report includes a risk breakdown in the form of a color coded pie chart, a risk assessment rating key and areas that must be reviewed.
As data breaches become more frequent and complex, healthcare organizations are encouraged to become familiar with HIPAA's Breach Notification Rule.
According to Health IT Security, the HIPAA Breach Notification Rule requires HIPAA covered entities to provide notification to individuals, regulators, and the media following a breach of protected health information (PHI).
The HIPAA breach definition is "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information", as stated by the U.S. Department of Health and Human Services. Covered entities must provide notification if the breach involved unsecured PHI, which is PHI that has not been deemed unusable, unreadable, or indecipherable to unauthorized persons.
How to make a HIPAA breach risk assessment for an official notification
Organizations should develop and implement a cyber incident response plan that includes breach notifications.
When a breach is suspected, the Health and Human Services (HHS) Department recommends taking the following four steps to conduct a HIPAA breach risk assessment:
Confirm if PHI was acquired or viewed.
Discover the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
Identify the unauthorized person(s) who used the PHI or to whom the disclosure was made.
Determine the extent to which the risk to the PHI has been mitigated by the covered entity.
Conducting a risk assessment is an important piece of the investigation once a report is made. As Jesse Coleman, Partner at Houston-based law firm Seyfarth Shaw, states, "the office for Civil Rights, which is the enforcement mechanism for the HHS secretary, will look to this risk assessment if it turns out that there has been some sort of impermissible use or disclosure that was not reported."
Are there HIPAA breach exceptions to what needs to be reported?
HHS notes that there are three exceptions to the breach definition of PHI:
The unintentional acquisition, access or use of PHI by an employee or person acting under the authority of a covered entity or business associate.
The inadvertent disclosure by a person authorized to access PHI at a covered entity to another authorized person.
The covered entity or business associate has a "good faith belief" that the unauthorized person would not have been able to retain the information.
Who should be notified about HIPAA data breaches?
The HHS requires three types of entities to be notified in the case of a PHI data breach:
The notification must also include the following information:
Description of the breach.
Description of the types of information involved in the breach.
Steps that breach victims should take to protect themselves from harm.
Description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent further instances.
Contact information for the covered entity.
When should HIPAA data breach notifications be provided?
A covered entity must send notification by first-class mail or email.
If a covered entity experiences a breach affecting more than 500 residents of a state or jurisdiction, it is required to notify prominent media outlets within its state or jurisdiction within 60 days of breach discovery.
The Office for Civil Rights (OCR) must always be notified about a breach of unsecured PHI. If the breach impacts 500 or more individuals, the covered entity must inform the OCR within 60 days of breach discovery.
For breaches affecting fewer than 500 individuals, the covered entity can notify the OCR on an annual basis.
For more information on HIPAA data breaches
Covered entities and business associates are required to demonstrate that they have provided all necessary notifications in the event of a breach of PHI, or that they have determined through a risk assessment that the disclosure of unsecured PHI was not a breach of PHI.
HIPAA data breaches cost significant money and time for any healthcare organization.
The Cost Could Exceed $2000 Per Victim not including other organizational costs:
Investigation: The organization must investigate the breach to uncover the root cause. Immediately mitigate the amount of data that is stolen.
Remediation: Immediately implement new policies and procedures that will prevent any data breaches in the future. Document all this work as it will be subject to audit.
Operational Disruption & Changes: A data breach will be very disruptive to any organization. It will require focus and resources. The provision of healthcare services may even be impacted which will decrease revenue.
Breach Notifications: HIPAA rules require that notification letters must be sent to all patients impacted. A single notification letter cost Anthem $40M in postage.
Identity Theft Prevention: HIPAA rules require health care organizations to pay for credit monitoring and identity theft protection to all patients that are breach victims. The cost will be approximately $10 per month and should be offered for at least 18 months.
Regulatory Fines: Fines of up to a maximum of $1.5 million per year, per violation can be assessed by Office of Civil Rights. The states Attorney Generals Offices can also assess fines of up to $25,000 per violation.
Lost Business & Reputation: Some research studies show that 65% of people consider changing healthcare providers after a data breach.
Class Action Lawsuits: health care organizations should expect that class action lawsuits may be filed because of a data breach. Such lawsuits often ask for damages of over $1000 per person impacted. Other lawsuits may also be filed against health care providers such as negligence.
Help Desk for Breach Victims: HIPAA rules require that a forum must be set up so that victims of a data breach can reach out and call the organization to obtain additional information and status updates.
Presence Health, a healthcare network based in Illinois, earlier in 2017 acceded to pay a $475,000 fine after not reporting a breach of unsecured protected health information in a timely fashion. Officials of the Office for Civil Rights (OCR) are noting that the length of time it took Presence to report the breach was not in accordance with HIPAA standards. This action represents the first HIPAA enforcement by the OCR on a healthcare provider for lack of timely notification of a breach.
The OCR was notified of the breach via Presence on January 31, 2014, despite the actual breach taking place on October 22, 2013. Paper-based documents, containing the protected health information of 836 individuals had gone missing from the Presence Surgery Center, at Presence St. Joseph Medical Center, located in Joliet Illinois. Presence's failure to notify stretched beyond 60 days of discovering the breach, and was due in no part to unavoidable delay. The missing documents from Presence Health included information about patient names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.
As is exhibited by the suit against Presence Health, compliance with HIPAA regulations and procedures are of paramount importance to healthcare providers and systems. Financially, this suit has shown an extent of the monetary toll that HIPAA discordance can result in for healthcare providers. By not complying to HIPAA procedure, Presence jeopardized protected information, creating various vulnerabilities for those affected, and the healthcare network itself. This discordance also affected the OCR by hindering its ability to conduct a proper investigation into the breach, thereby gaining information about the then-current case, and security breaches and risks going forward.
HIPAA compliance is critical in order to ensure proper protection of data; however, it can be difficult to keep up to speed. Do the proper research to determine which programs are right for your company, helping the company's efficiency, compliance, and productivity.