There are many tools available to organizations that help them perform the required HIPAA and Meaningful Use Risk Assessment. The problem with an organization doing their own Risk Assessment revolves around the saying
What you put in is what you get out
In order to get an accurate analysis of risks to patient information it is critical to understand where patient information is stored and how it is currently being protected. The HIPAA Security Rule focuses on a lot of network related concepts including encryption, auditing, disaster recovery, etc. These concepts and technologies are not always easy for non-technical people to grasp. So without a good understanding of the technology safeguards it may be easy to make assumptions of what safeguards an organization has in place which could turn out to be incorrect.
We have interviewed hundreds of people through our HIPAA Risk Assessment process and we have seen firsthand some of the issues that were mentioned above. We usually receive honest answers from the people we interview during the Risk Assessment process but although the answers are honest sometimes they turn out to be entirely incorrect. Below are a few examples to help demonstrate the point more clearly.
We asked one practice administrator if they were using email encryption to send electronic protected health information (ePHI) to patients via email. The practice administrator answered the question with
Yes we use email encryption to send patient information.
When we asked what email encryption tool they were using the response was
My iPhone has encryption so were are covered
It turns out the iPhone was not encrypted and they were sending patient information via unencrypted email. When we explained what email encryption was and how it worked, they were very eager to implement a solution.
The point here is that the Practice Administrator answered the question honestly and to the best of their ability. Unfortunately they did not have required knowledge and information to answer the question correctly.
We have seen the same scenario repeated many times regarding backup tapes. We always ask if the organization’s backup tapes are encrypted. We usually get a response similar to this
I’m sure our IT department is encrypting the tapes
But when we ask them to confirm this with their IT department (company) or when we interview the IT contact we usually get this response
No the tapes are not encrypted but they are in a format that is very hard to read so the organization doesn’t have anything to worry about
Unfortunately if the backup tapes are lost or stolen and they are not encrypted, the organization is looking at a security breach. Once again the Practice Administrator was answering the question with the best of their knowledge. In fact the IT person was answering the question with the best of their knowledge as well. But without a clear understanding of the HIPAA Security Rule, both contacts made false assumptions about existing safeguards to patient information.
One final example that we have seen as well revolves around auditing of access to ePHI. We asked one organization if they were auditing the access to patient information. They answered
We have auditing in our EMR but we are not reviewing the audit logs. But we are keeping the logs so if we ever need to review them, they will be available.
The answer was honest and very straightforward. It seemed as though the organization had auditing of the EMR in place but just needed to implement an audit review policy and procedure. But when we asked the EMR vendor more details about the auditing, it turns out that the EMR (which was not certified for Meaningful Use) did not have auditing in place that recorded which users were accessing or viewing records. They did have auditing of who entered or made changes to records but not who viewed the records.
Needless to say the organization was very surprised when they heard that the EMR did not support the required auditing functionality.
The above cases show the danger of organizations doing self Risk Assessments. In each of the cases, assumptions about existing safeguards to patient information were made but each of the assumptions was incorrect. Without the required knowledge of the HIPAA Security Rule and the technology safeguards, it is possible to make mistakes which would result in an inaccurate Risk Assessment.
The office of National Coordinator for Health Information Technology (ONC) states that although organizations can do self assessments, it is better to have outside professionals assist with the Risk Assessments
However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.