One of the most important aspects of complying with the HIPAA Security Rule is to perform a risk assessment to evaluate how an organization is protecting patient data. The results of the risk assessment provide a playbook for how additional protections can lower the risk to patient information. Let’s take a closer look at the steps involved in reducing risk to patient information.
Let’s assume that a detailed risk assessment was done for ABC practice. The risk assessment looked at all systems that contain electronic protected health information (ePHI or patient information). It evaluated all the threats to ePHI. The risk assessment looked at all vulnerabilities to the systems that contain ePHI and evaluated the current protections that were in place to protect ePHI. Based on all of the information that was gathered and evaluated the results of the risk assessment were provided to ABC practice.
Usually a risk assessment will provide recommendations that an organization should implement to lower the risk to ePHI. So you may be thinking that it is easy to lower risk, all an organization has to do is implement all the recommendations and they will have very low risk that something will happen to ePHI. That would be correct but not realistic. Implementing all additional security measures may be cost prohibitive. For example implementing a backup generator that will power all the computer systems in the event of a power outage might cost $10,000 – $50,000 or more. Another example might be that the risk assessment says that in order to lower the risk of ePHI being stolen, all systems in an organization should be encrypted. This includes laptops, desktops and servers. The cost to an organization to encrypt all systems might once again be cost prohibitive depending on the amount of systems they have.
So what does an organization do?
There are 3 things that an organization can do:
- An organization can implement the recommended additional security measures to lower a specific risk. This would be the optimal solution. The recommended security measures would make sense based on a cost analysis.
- An organization can decide to deal with the risk by buying insurance that will transfer the risk to another organization. In this case the insurance company.
- An organization can accept the risk and decide that the likeliness of the risk is very low and no additional security measures are needed.
A key point is that it is not possible to eliminate all risks. No matter how much an organization spends to implement additional security measures, some risks cannot be completely eliminated. The goal of implementing the recommendations of a risk assessment is to lower risk to the point that it is acceptable to the organization. This may sound confusing but let’s take the example of owning and driving a car.
Driving a car is very risky. Cars are involved in accidents, drivers and passengers can be hurt or killed, cars can be stolen or the owner of a car can be sued if the car is involved in an accident. So what does someone do to lower the risk of owning and driving a car? They can buy a car that has a lot of safety measures including seatbelts, airbags, anti-lock brakes, traction control and a high safety record. They can also purchase insurance that will protect them in the event of an accident (to repair the car or cover medical expenses or to protect against a lawsuit). Even buying a safe car and purchasing insurance, owning and driving a car still has risks associated with it. But by ensuring that the car is safe and that insurance has been purchased, the risk of owning the car is low enough that most people feel confident in the decision to buy a car.
A risk assessment can help an organization lower the risk to ePHI and provide recommendations on additional security measures to implement. The organization will need to determine which security measures to implement based on the likeliness of the risk and the cost analysis of the recommend security measures. The goal is to lower risk to ePHI but it should be understood that eliminating all risk may not be feasible.