HIPAA regulations require health care organizations to have an information security program that properly safeguards patients’ protected health information (PHI). But there’s still much confusion among organizations about what their exact responsibilities are and what risks they should avoid.
If your health care organization has struggled to understand its risk management responsibilities, you’re unfortunately not going to get any sympathy from the Office of Civil Rights (OCR). If OCR finds out your organization doesn’t have a risk management program or isn’t doing enough to manage risk, you’ll face penalties for noncompliance. Other organizations that are involved with HIPAA enforcement — state attorney generals, CMS and accreditation organizations — are also not sympathetic to the lack of risk management.
But there is help available! Wipfli has years of experience performing HIPAA risk assessments, which is the first step in developing a robust risk management program. And from our assessments, we’ve discovered four common mistakes that health care organizations take with information risk management. Learn what they are — and what you can do to mitigate them — below.
1. Failing to Execute Any Risk Management
When OCR performed the second phase of its HIPAA compliance audits in 2017, it discovered that 94% of health care organizations have substandard risk management plans. At Wipfli, we also have discovered that many health care organizations have not done a very good job with risk management. These organizations are putting themselves at risk for cyberattacks, data breaches and civil action lawsuits.
Plus, they’re violating OCR’s compliance regulations. Over the past two years, HIPAA violations have resulted in 20 settlements and two civil monetary penalties, costing health care organizations millions of dollars.1
While HIPAA can be confusing, health care organizations need to look at information risk management the same way they look at patient safety risk management or financial risk management. It’s another crucial part of the business that needs to be evaluated. Developing a comprehensive risk management program can save you millions of dollars, protect your organization’s reputation and avoid costly and time-consuming litigation.
2. Evaluating Risk Only Once a Year
Even if your organization is executing some level of risk management, you may not be doing it often enough. Health care organizations that only perform an annual assessment of risks are most likely missing new risks throughout the year. Keep in mind, information risks are more than just technology related.
This makes continuous monitoring vital. A risk previously identified as low might become high over time due to changing processes or technology. Risks that were once considered high might become less important, meaning money you’re using to mitigate that risk can be redirected to protect your organization from a new potential threat.
3. Focusing on One Facet of Information Security
Information security involves more than you’d first think. It spans departments, from IT to HR, and involves both physical security and cybersecurity.
We’ve found that many health care organizations don’t focus on all the facets of security that are essential to the organization. A comprehensive approach is necessary to developing a successful risk management program. Examine your administrative, physical, operational and technical controls to get a complete idea of where you’re at with risks to your information and how you can minimize them.
4. Overlooking the Importance of Documenting Decisions or Involving Leadership
It may surprise you, but we’ve found that many health care organizations don’t adequately document their risk management decisions and don’t get approval from leadership when accepting risk that most likely impacts the entire organization or its reputation. Your risk management strategy should support your organization. Getting your leadership team involved brings a diverse level of thinking and consideration that helps avoid negative impact and ensure you make the best decisions for your organization.
Be sure to document this process, too. We’ve already discussed how continuous monitoring is a huge component of a successful risk management program. Keeping track of your decisions — where you’ve spent money, and where you’ve noted lower-level risks but decided to monitor them instead of mitigating them — makes it easier to continually reassess and minimize risk. Plus, you never know when an external audit or investigation may occur, looking to investigate a complaint or evaluate your compliance.
Developing a Comprehensive Risk Management Program
So what do these four issues have in common? They’re signs an organization does not have an effective information risk management program in place.
An information risk management program includes four parts: assessment, analysis, mitigation and continuous monitoring. That’s right, risk assessment and risk analysis are not interchangeable!
A risk assessment identifies anything that could be considered a risk, whether it’s technology-related, a lack of policies and procedures or inadequate physical security. A risk analysis looks at each risk the assessment identified, evaluates the impact and likelihood it will occur and labels it a high, medium or low risk. It then dives into the potential consequences of not dealing with one or more of the risks.
Mitigation, of course, involves reducing the impact and likelihood of each identified risk. It identifies the time, money and/or resources you’ll need to put into bringing a risk to an acceptable level.
As for continuous monitoring, it can’t be overstated how important this fourth step is to protecting your organization and your patients. It’s an essential part of your due diligence as a health care organization, and it can also be a cost-saving measure, if it is determined that a risk no longer needs the level of protection originally implemented.
Getting the Help You Need
There’s nothing in HIPAA’s regulations that stipulate any of the above must be done by a third party, but it is recommended that you get experienced and specialized help from outside your organization when needed. Wipfli’s health care team has advised on the development of many risk management programs, structuring each one to fit the organization’s unique needs.
Remember that risk management should not be looked at as exclusively a HIPAA requirement. Information risk management should address all types of sensitive and confidential information, regardless of the form (e.g., electronic, paper, verbal, etc.).
If you would like to learn more, contact Wipfli.
 “Noncompliance with HIPAA Costs Healthcare Organizations Dearly,” HIPAA Journal, December 13, 2017, https://www.hipaajournal.com/noncompliance-with-hipaa-costs/, accessed June 27, 2018