Small Medical Fundamentals

HIPAA Risk Assessment

Posted by Steve Alder

A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level.    

The requirements for covered entities and business associates to conduct a HIPAA risk assessment appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. However, it may be necessary for organizations to conduct risk assessments beyond these requirements.

The first requirement to conduct a HIPAA risk assessment appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). This standard requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”.

The second requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). This standard only applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI (in any format), and a HIPAA risk assessment is necessary to determine whether the event is notifiable to HHS and the affected individual(s).

However, beyond the HIPAA risk assessment requirements of the HIPAA Security and Breach Notification Rules, risks exist to the confidentiality, integrity, and availability of PHI when it is not in electronic format – for example, when unauthorized disclosures are made verbally or when a printed medical report is left unattended in an area of public access.

Because of these risks, it may be necessary to conduct a HIPAA privacy risk assessment which not only takes into account risks to the confidentiality, integrity, and availability of non-electronic PHI, but which also covers individuals’ access rights (to their PHI), Business Associate Agreements, and other Organizational Requirements of HIPAA.

HIPAA Security Risk Assessment

The objective of a HIPAA security risk assessment is outlined in the General Rules (CFR 45 § 164.306) that precede the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. These are to:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
  • Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce. Note: This is achieved via security awareness training and the enforcement of a sanctions policy.

With regards to the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, the General Rules allow a “flexibility of approach” in how the standards are implemented. Despite the flexibility of approach clause, it is important that all standards are implemented unless an implementation specification is not “reasonable and appropriate” and an equivalent alternate measure is implemented in its place. The full list of Administrative, Physical, and Technical implementation specifications is:

Standards Sections Implementation Specifications

(R)=Required, (A)=Addressable

 Implementation Commentary
Security Management Process 164.308(a)(1) Risk Analysis (R), Risk Management (R), Sanction Policy (R), Information System Activity Review (R) Organizations should perform a comprehensive risk analysis to identify potential vulnerabilities to ePHI. Develop and document a risk management strategy that prioritizes remediation activities. Enforce a sanction policy for employees who fail to comply with security policies, and implement tools for reviewing system activity regularly to detect any unauthorized access.
Assigned Security Responsibility 164.308(a)(2) (R) Assign a senior-level individual (such as a CISO or Privacy Officer) to be responsible for ensuring the implementation and oversight of security policies and procedures across the organization. This individual should have authority and resources to enforce HIPAA compliance.
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A), Workforce Clearance Procedure (A), Termination Procedures (A) Establish and document procedures for supervising workforce members who access ePHI. Screen employees before granting access, and ensure prompt deactivation of accounts and access upon termination or role change to prevent unauthorized access.
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function (R), Access Authorization (A), Access Establishment and Modification (A) Create controls to isolate systems that manage ePHI, especially if a healthcare clearinghouse is part of a larger organization. Define procedures for granting, modifying, and removing user access based on job roles. Access should be reviewed periodically and updated accordingly.
Security Awareness and Training 164.308(a)(5) Security Reminders (A), Protection from Malicious Software (A), Log-in Monitoring (A), Password Management (A) Develop a formal training program that includes regular security updates, awareness of phishing and malware threats, instructions for recognizing suspicious activities, and best practices for password management. Training should be documented and mandatory for all employees.
Security Incident Procedures 164.308(a)(6) Response and Reporting (R) Develop and maintain a written incident response plan that defines how to detect, report, and respond to security incidents. Train staff on recognizing incidents, and test the plan through simulated exercises to improve readiness.
Contingency Plan 164.308(a)(7) Data Backup Plan (R), Disaster Recovery Plan (R), Emergency Mode Operation Plan (R), Testing and Revision Procedure (A), Applications and Data Criticality Analysis (A) Implement a robust contingency planning framework that includes regular data backups, disaster recovery procedures, and emergency mode operations to ensure continuity of care. Conduct periodic testing and revise plans based on outcomes. Assess and prioritize data and application criticality to focus recovery efforts effectively.
Evaluation 164.308(a)(8) (R) Regularly evaluate your security program’s effectiveness through audits, risk assessments, and policy reviews. Document evaluation results and implement improvements as needed to address any weaknesses or evolving threats.
Business Associate Contracts 164.308(b)(1) Written Contract or Other Arrangement (R) Enter into Business Associate Agreements (BAAs) with all vendors who handle ePHI on your behalf. Ensure these agreements outline security responsibilities and establish that the associate is subject to HIPAA rules.
Facility Access Controls 164.310(a)(1) Contingency Operations (A), Facility Security Plan (A), Access Control and Validation Procedures (A), Maintenance Records (A) Implement procedures to control physical access to facilities where ePHI is stored. This includes locking doors, using ID badges, and ensuring that emergency access is planned. Document maintenance activities and control how visitors and staff are validated before entering sensitive areas.
Workstation Use 164.310(b) (R) Define appropriate uses of workstations that access ePHI. Restrict the use of unauthorized software and internet access, and place workstations in secure locations where unauthorized individuals cannot view screen content.
Workstation Security 164.310(c) (R) Physically secure workstations by using cable locks, locking office doors, and ensuring terminals are not left unattended when logged in. This helps prevent unauthorized access or tampering.
Device and Media Controls 164.310(d)(1) Disposal (R), Media re-use (R), Accountability (A), Data Backup and Storage (A) Develop policies for securely disposing of media containing ePHI, such as shredding paper records or wiping hard drives. Maintain a media tracking system to ensure accountability and store backups securely offsite or in the cloud.
Access Control 164.312(a)(1) Unique User Identification (R), Emergency Access Procedure (R), Automatic Logoff (A), Encryption and Decryption (A) Assign unique user IDs for tracking access to systems containing ePHI. Ensure emergency access is available when needed. Set automatic logoff policies to reduce risk from unattended terminals, and encrypt data both at rest and in motion where appropriate.
Audit Controls 164.312(b) (R) Use software tools that track and log all access to ePHI, including login attempts, file accesses, and modifications. Regularly audit these logs to identify unusual activity and respond to potential breaches.
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Use checksums, digital signatures, or similar tools to ensure that ePHI has not been altered or destroyed in an unauthorized manner. Validate these mechanisms regularly to ensure reliability and security.
Person or Entity Authentication 164.312(d) (R) Ensure users authenticate themselves before accessing ePHI using secure methods such as strong passwords, biometric verification, or multi-factor authentication. Regularly update and review authentication policies.
Transmission Security 164.312(e)(1) Integrity Controls (A), Encryption (A) Encrypt data transmissions such as emails or data sent via APIs to protect ePHI from interception. Implement integrity controls like message authentication codes to ensure that data is not altered during transmission.

 

The final section of the HIPAA Security Rule covers Business Associate Agreements and other Organizational Requirements. This section requires covered entities to ensure their Business Associate Agreements require business associate to comply with the HIPAA Security Rule and report any security incidents (not just data breaches) to the covered entity. With regards to the Organization Requirements, the standard in 45 CFR § 164.314 applies to group health plans; but all covered entities in hybrid, affiliated, or OHCA arrangements should review the content of this standard as well.

HIPAA Breach Risk Assessment

The second “required” HIPAA risk assessment is actually optional inasmuch as the HIPAA Breach Notification Rule states any that impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a low probability of compromise can be demonstrated via a risk assessment that takes at least the following factors into account:

  • The nature and extent of breached PHI including the types of identifiers and the likelihood of reidentification,
  • The unauthorized person (if known) who acquired, accessed, or used the breached PHI or to whom an impermissible disclosure was made,
  • Whether PHI was actually acquired or viewed (read HHS’ guidance on ransomware to establish what constitutes “acquired or viewed” in cyberattacks),
  • The extent to which the risk to PHI has been mitigated.

The reason for the HIPAA breach risk assessment being described as optional is that covered entities and business associates could – if they wish – skip this HIPAA assessment and notify every impermissible acquisition, access, use, or disclosure of PHI. The drawback to this approach is that it may result in business disruption if HHS’ Office for Civil Rights feels your organization is experiencing an above-average number of data breaches and decides to conduct a compliance review.

It can also cause a loss of trust from individuals served by the organization if patients and plan members are receiving frequent breach notifications – especially if they are advised to take measures to protect themselves against fraud, theft, and loss unnecessarily because “breached” PHI has not actually been acquired or viewed. Although “optional”, it can be a good idea to conduct a HIPAA breach risk assessment to prevent unavoidable notifications.

HIPAA Risk Assessment Workflow- the hipaajournal.com

HIPAA Privacy Risk Assessment

Due to the requirement to conduct risk assessments being in the HIPAA Security Rule, many covered entities and business associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.

In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.

The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy assessment and should be reviewed as new work practices are implemented or new technology is deployed.

As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees’ functions. Although covered entities and business associates may comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy.

Not Identifying Risks Can be Costly

The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of PHI and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing a legal requirement exists to protect PHI.

More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard PHI. Many of the largest fines – including the $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist.

However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.

It’s Not Just Large Organizations in the Firing Line

Although the majority of headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also investigated by the Office for Civil Rights (OCR) or subject to HIPAA audits. Since 2003, OCR has received more than 300,000 reports of alleged HIPAA violations. Less than 2% of these relate to data breaches involving 500 individuals or more.

A significant problem for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to investigate the breach, the cost of repairing public confidence, and the cost of providing credit monitoring services for individuals. Insurers may also limit their coverage according to the nature of the HIPAA violation and the level of negligence.

Without insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice. However, this scenario can be mitigated by conducting a HIPAA risk assessment and implementing measures to resolve any uncovered issues. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their business associates.

Business Associates Must Be Included

Every covered entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business associates, subcontractors, and vendors must also conduct a HIPAA security risk assessment. Similar to covered entities, fines for non-compliance can be issued by OCR against business associates for potential breaches of PHI.

OCR treats these risks seriously. In December 2014, the agency revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records are attributable to the negligence of business associates. In June 2016, it issued its first fine against a business associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013.

More recently, the proportion of data breaches attributable to a lack of compliance by business associates may appear to have reduced, but this is not necessarily the case. Under the HIPAA Breach Notification Rule (CFR § 164.410), a business associate is required to notify a covered entity when a breach of unsecured PHI occurs. It is then the covered entity’s responsibility to notify HHS and the affected individual(s) – so it may be the case many data breaches are recorded as being attributable to a covered entity when in fact a business associate is at fault.

Developing a Risk Management Plan and Implementing New Procedures

A HIPAA risk assessment should reveal any areas of an organization’s security that need attention. Organizations then need to compile a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI.

The risk levels assigned to each vulnerability will give an organization direction on the priority that each vulnerability needs to be given. The organization can then create a remediation plan to tackle the most critical vulnerabilities first. The remediation plan should be complemented with new procedures and policies where necessary, and appropriate workforce training and awareness programs.

It has been noted by OCR that the most frequent reason why covered entities and business associates fail HIPAA audits is because of a lack of procedures and policies – or inadequate policies and procedures. It is important that the appropriate procedures and policies are implemented in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment.

Tools to Assist with a HIPAA Risk Assessment

Conducting a HIPAA risk assessment on every aspect of an organization’s operations – not matter what its size – can be complex. This is particularly true for small medical practices with limited resources and no previous experience of complying with HIPAA regulations. To help reduce the complexity of conducting HIPAA risk assessments, in 2014, OCR released a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment.

The SRA tool is very helpful in helping organizations identify some locations where weaknesses and vulnerabilities may exist – but not all. In the User Guide accompanying the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. This is because, although the tool consists of 156 questions relating to the confidentiality, availability, and integrity of all PHI, there are no suggestions on how assign risk levels or what policies and procedures to introduce.

Much the same applies to other third-party tools that can be found on the Internet. They may also help organizations identify some weaknesses and vulnerabilities, but not provide a fully compliant HIPAA risk assessment. Indeed, many third-party vendors publish disclaimers in the small print of their terms and conditions similar to that at the beginning of the SRA tool User Guide. The conclusion is that tools to assist with a HIPAA risk assessment can be helpful for identifying issues but are not suitable for providing solutions to all issues.

HIPAA Risk Assessment FAQ

Where are risks most commonly identified?

Where risks are most commonly identified vary according to each organization and the nature of its activities. For example, a small medical practice may be at greater risk of impermissible disclosures through personal interactions, while a large healthcare group may be at greater risk of a data breach due to the misconfiguration of cloud servers.

What is a “reasonably anticipated threat”?

A reasonably anticipated threat is any threat to the privacy of individually identifiable health information or to the confidentiality, integrity, or availability of PHI that is foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be most damaging can be addressed as priorities. Most HIPAA risk analyses are conducted using a qualitative risk matrix.

Who is responsible for conducting a HIPAA security risk assessment?

The responsibility for conducting a HIPAA security risk assessment usually lies with a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified.

Are there different types of risk assessment for covered entities and business associates?

There are not different types of risk assessment for covered entities and business associates. Both covered entities and business associates need to conduct “A-to-Z” risk assessments for any Protected Health Information created, used, or stored. While business associates may experience a lower volume of PHI than a covered entity, the risk assessment has to be just as thorough and just as well documented.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a risk assessment that organizations subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act have to complete in order to be compliant with the “Security Management Process” requirements. Non-compliant organizations have been filed for failing to comply with this requirement of HIPAA.

What is the difference between a HIPAA risk assessment and a HIPAA compliance assessment?

The difference between a HIPAA risk assessment and a HIPAA compliance assessment is that a HIPAA risk assessment identifies potential threats and vulnerabilities so measures can be implemented to mitigate their likelihood. A HIPAA compliance assessment is usually an assessment performed by a third party to assess an organization´s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Why can I not find a HIPAA risk assessment template on the Internet?

You will not find a HIPAA risk assessment template on the Internet because covered entities and business associates vary significantly in size, complexity, and capabilities, and there is no “one-size-fits-all” HIPAA risk assessment. Due to the number of variables, there is no such thing as a HIPAA risk assessment template; and, if you do source a template from the Internet, you should treat it with caution as it may not include every potential risk to PHI maintained by your organization.

When is a HIPAA risk assessment necessary?

A HIPAA risk assessment is necessary in two instances. The first instance appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). The second instance occurs under the HIPAA Breach Notification Rule (45 CFR § 164.402), which applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI. However, organizations should conduct risk assessments more often than these requirements, particularly related to non-electronic PHI and organizational requirements.

What is the objective of a HIPAA security risk assessment?

The objective of a HIPAA security risk assessment is to identify risks to the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits. The risk assessment should not only focus on external threats, but also those within the organization attributable to malicious insiders or a lack of security awareness training.

What factors are considered in a HIPAA breach risk assessment?

The factors considered in a HIPAA breach risk assessment include the nature and extent of breached PHI, the types of identifiers and the likelihood of re-identification, the unauthorized person who accessed or used the breached PHI, whether PHI was actually acquired or viewed, and the extent to which the risk to PHI has been mitigated.

What could be the consequence of not identifying risks to PHI in a risk assessment?

The consequences of not identifying risks to PHI in a risk assessment are an increased likelihood of a data breach or impermissible disclosure, and – following on from such an event – a sanction issued by HHS’ Office for Civil Rights for failing to conduct a thorough risk assessment. It is important to be aware there are no excuses for failing to conduct a thorough risk assessment as covered entities and business associates “know or should know” they have a responsibility to safeguard PHI.

Do the HIPAA risk assessment requirements apply to Business Associates?

The HIPAA risk assessment requirements apply to business associates as business associates are required to comply with the HIPAA Security and Breach Notification Rules and the two HIPAA standards relating to HIPAA risk assessments appear in these Rules. Business associates are also advised to conduct HIPAA Privacy Rule risk assessments if the nature of their activities for a covered entity could violate the privacy of individually identifiable health information.

What tools can assist organizations with a HIPAA risk assessment?

The tools that can assist organizations with a HIPAA risk assessment include a downloadable Security Risk Assessment (SRA) tool released by HHS’ Office for Civil Rights in 2014 to help small and medium-sized medical practices with the compilation of a HIPAA risk assessment. There are also many tools available from third party compliance experts that are best used for identifying issues in situations not covered by the Security Risk Assessment Tool (i.e., HIPAA Privacy Rule compliance).

The post HIPAA Risk Assessment appeared first on The HIPAA Journal.

Editorial: HIPAA Compliance Challenges for Small Medical Practices

Posted by Steve Alder

Healthcare providers, health plans, healthcare clearinghouses, and their business associates are all required to comply with the HIPAA Rules; however, there are unique challenges for small medical practices. Large healthcare organizations have greater resources to devote to compliance, and can attract and pay for dedicated compliance professionals, in-house IT and cybersecurity staff, cutting-edge cybersecurity solutions, and staff training programs.

Small medical practices have limited resources and are forced to make difficult decisions about where to allocate funds due to budget constraints. Investments in the business that boost revenue and profits often take priority over investments to ensure HIPAA compliance and improve cybersecurity. Small practices often cannot afford to have a dedicated HIPAA Privacy and Security Officer, and compliance duties fall on administrative staff, nurses, and physicians, who have many other responsibilities. There may also not be an in-house IT department to oversee security.

Despite financial constraints, HIPAA compliance and cybersecurity are not optional. The HHS’ Office for Civil Rights (OCR) has made it clear that the size of a practice is irrelevant when it comes to HIPAA compliance. While OCR has previously focused its enforcement efforts on larger practices, in recent years, OCR has taken a keen interest in smaller practices and has imposed several penalties for noncompliance. OCR has made it clear with these penalties that small medical practices can no longer fly under the radar.

The probability of noncompliance being discovered is increasing. While hackers and ransomware groups have historically focused their efforts on attacking larger healthcare organizations with deeper pockets, smaller healthcare practices are increasingly being targeted for the simple reason that they are easier to attack, as they have fewer resources to devote to cybersecurity, and healthcare organizations of all sizes are at risk of insider threats, more so than any other sector.

OCR’s figures show a 239% increase in hacking-related data breaches between 2018 and 2023, and a 278% increase in ransomware attacks. OCR investigates all data breaches affecting 500 or more individuals to determine if they were due to noncompliance, as well as many smaller breaches. Complaints about potential HIPAA violations are also being reported to OCR in record numbers, and OCR has rekindled its HIPAA audit program. Noncompliance has never been more likely to be discovered.

HIPAA Compliance Challenges for Small Medical Practices to Overcome

With fewer resources available to devote to HIPAA compliance, achieving and maintaining HIPAA compliance can be a real challenge for small and medium-sized healthcare providers. While small practices are not expected to invest as heavily in cybersecurity as large healthcare providers, they must ensure that they have appropriate measures, relative to their size, to protect against common cybersecurity threats.

Small medical practices must ensure they have written policies and procedures to demonstrate their good faith effort to comply with the HIPAA Rules. HIPAA compliance is not inherently complicated. The HIPAA Rules are publicly available, and OCR has created many resources to help small practices achieve and maintain compliance, yet there are several areas where smaller practices have compliance programs that fall short of requirements.

Document All HIPAA Compliance Efforts

A lack of documentation to prove HIPAA compliance is all too common. As far as OCR is concerned, if it hasn’t been documented, it didn’t happen. If a complaint or data breach is investigated, the first thing OCR will request is documentation to demonstrate HIPAA compliance in the area under investigation. That may be policies and procedures for responding to patients who exercise their rights under HIPAA, HIPAA and security awareness training records, incident response plans, and patient notifications, or evidence that a risk analysis has been conducted and risks have been reduced to a reasonable and appropriate level. Many financial penalties have resulted from the failure to document the practice’s good-faith effort to comply with the HIPAA Rules. Maintaining accurate documentation is a fundamental requirement of HIPAA.

Conduct Regular Risk Analyses

The most commonly identified HIPAA violation is the failure to conduct an accurate and comprehensive risk analysis. Under OCR’s current enforcement initiative, proof that a risk analysis has been conducted will need to be provided in the event of a data breach investigation. Risk analyses are ongoing requirements that should be conducted annually, and following any material change to policies and procedures, or when new technology is introduced.

The “comprehensive” requirement means that there is a prerequisite to the risk analysis. An accurate and up-to-date inventory of all devices and locations where PHI is stored, maintained, transmitted, or accessed is required, on which the risk analysis can be based. Take advantage of the HHS Security Risk Assessment tool, which has been developed specifically to help small and medium-sized healthcare providers by walking them through the risk analysis process. You must also ensure that everything is documented so you can demonstrate that an accurate and comprehensive risk analysis has been conducted. Naturally, any identified risks and vulnerabilities must be mitigated in a timely manner.

Reduce the Risk of Human Error with Regular Training

Staff training often gets neglected. It can be difficult with a small workforce to take workers away from their work duties and provide regular training on HIPAA policies and procedures, as well as security awareness training. Training should be provided at hire, and refresher training provided annually. Take advantage of training vendors and third-party courses if you lack the internal resources to develop your own training courses.

Training should teach employees about their responsibilities with respect to the privacy and security of PHI, patient rights under HIPAA, social media use, and the correct handling of PHI in all forms. Ensure you provide regular security awareness training covering common threats such as phishing, social engineering, malware, and educate the workforce on security best practices. To develop a culture of compliance, staff members must be given proper education, and through regular training, you will be able to prevent many accidental HIPAA violations. Bear in mind that patients have become a lot more knowledgeable about HIPAA and their rights, and complaints about potential HIPAA violations are being reported in record numbers.

Maintain Business Associate Agreements with All Vendors

With limited resources, small medical practices will naturally need to outsource some functions to third-party service providers such as IT companies, managed services providers, cloud providers, software providers, revenue cycle management companies, and more. A small practice may rely on two dozen or more vendors, and each one that requires contact with PHI must sign a business associate agreement (BAA) before being provided with access to PHI.

The BBA should make clear what the vendor’s responsibilities are under HIPAA, the safeguards that are required to protect PHI, and the requirement to obtain a BAA before using any subcontractor that requires access to PHI. The BAA should stipulate responsibilities and timeframes for reporting security incidents. There are many free templates available on which small practices can base their business associate agreements.

Business associates should be vetted to ensure their security is up to scratch, which can be time-consuming for small practices. Time can be saved by choosing vendors who can provide evidence of their security practices and who attest that their products or services are HIPAA compliant.

Implement Strong Access Controls

Small medical practices are likely to be targeted with phishing, social engineering, and brute force attempts to guess credentials. To counter these threats, practices need to have strong access controls. Each member of the workforce must have unique credentials, password complexity requirements should be set and enforced in line with current NIST recommendations, and multi-factor authentication should be implemented to add an additional layer of security, especially for any Internet accessible account or system.

Maintain and Review Security Event Logs and PHI Access

Even with the best security, cybercriminals may exploit human weaknesses or find a way to access your network. Data encryption at rest and in transit is strongly recommended, and a requirement of HIPAA unless an alternative safeguard is implemented that provides an equivalent level of protection. Regular backups must be performed of all critical data, backups checked to make sure data recovery is possible, and backups should be stored securely off-site. Small practices have been forced to permanently close due to the inability to recover data following a ransomware attack.

HIPAA requires detailed audit logs to be created, maintained, and reviewed to identify access, use, copying, and modification of ePHI. The logs should be continuously monitored, which, for small practices with limited resources, naturally requires automation. Consider partnering with a managed service provider (MSP) or managed security service provider (MSSP) and leveraging their expertise and monitoring capabilities. Without an automated system for monitoring ePHI access logs, including AI-aided detection of anomalous activity, privacy violations can continue for years.

Develop and Test an Incident Response and Business Continuity Plan

Small practices must prepare for the worst and assume that there will be a breach or HIPAA violation. An incident response plan must be developed that includes procedures to follow in the event of a cyberattack or event that damages information systems containing ePHI, or involves potential unauthorized access or disclosures.

The plan must include each individual’s responsibilities, the procedures that must be followed, processes for mitigating damage, and vendors that can assist, such as digital forensics experts and cybersecurity professionals. The plan must be tested to ensure that it is effective and that everyone is aware of their responsibilities. The incident response plan should also include policies and procedures for issuing notifications to the HHS, affected individuals, and the media. Small practices have been fined for breach response failures.

Prioritize Cybersecurity Spending to Get the Biggest Bang for Each Buck

Budgetary constraints at small medical practices mean difficult decisions must be made about cybersecurity, so each security product purchased must have a significant impact on reducing risk. Leverage affordable tools to ensure that email is secured, encrypt data at rest and in transit as far as is possible, and take advantage of HIPAA-compliant service providers rather than trying to build your own security from scratch. Enlist the services of an MSP or MSSP to assist with Security Rule compliance and benefit from their expertise; just make sure the vendor’s responsibilities are clearly stated in the BAA and service level agreement.

Small practices may have to make compromises as their resources may not stretch to cutting-edge security in every area. To get the biggest bang for each buck, the HHS Cybersecurity Performance Goals are a good place to start. They include proven cybersecurity measures that will have the biggest impact on improving your security posture.

Keep Up to Date with Regulatory Changes

Major changes to the HIPAA Rules are relatively infrequent, but there are pending Privacy Rule and Security Rule updates, and minor changes are more frequent. It is the responsibility of small medical practices to keep up to date with regulatory changes, as a lack of knowledge is not a valid excuse for noncompliance. Keeping abreast of any proposed HIPAA changes will give small practice owners plenty of time to make the necessary updates to their policies, procedures, and data privacy and security practices. Regularly check the HHS.gov website for proposed updates and new guidance, and sign up for The HIPAA Journal newsletter to get updates sent directly to your inbox.

HIPAA Compliance is a Continuous Process

HIPAA compliance is a continuous process, not a one-time effort at checking all the compliance boxes, and that naturally requires an investment in time and resources. To ensure compliance is maintained, consider conducting annual HIPAA audits and documentation checks, and regularly review privacy and security policies to ensure that they continue to be effective. Investing time and resources into developing your compliance program will be money well spent.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Compliance Challenges for Small Medical Practices appeared first on The HIPAA Journal.

Seven Elements Of A Compliance Program

Posted by HIPAA Journal

The Seven Elements HIPAA Compliance Software SolutionThe seven elements of a compliance program are integrated processes organizations can adopt to help develop a culture of compliance in the workplace; and, when applied effectively, the seven elements can also be used to streamline operational processes, optimize organizational performance, and reduce overall costs.

Because HIPAA compliance can be confusing, we have compiled this guide to the seven elements to make them relevant for HIPAA. Some compliance software solutions guide compliance officers through the seven elements as part of their set-up process.

Summary Of The Seven Elements

While the seven elements of a compliance program apply to all industries, they originated in the healthcare industry in the 1990s. This was in response to the growing level of healthcare fraud and abuse and an alleged “compliance disconnect” at the executive level in many hospitals and health systems.

These are the seven elements, which we outline in more detail below:

#1: Implement written policies, procedures, and standards of conduct.
#2: Designate a compliance officer and a compliance committee.
#3: Conduct effective training and education.
#4: Develop effective lines of communication.
#5: Conduct internal monitoring and auditing.
#6: Enforce standards through well-publicized disciplinary guidelines.
#7: Respond promptly to detected offenses and undertake corrective action.

The Seven Elements For Effective HIPAA Compliance

Despite being more than twenty-five years old – and not necessarily having been adopted to tackle the same issues – many organizations still use the seven elements in their original format.

The Background to the Seven Elements

In 1991, the Department of Health and Human Services (HHS) launched the Workgroup for Electronic Data Interchange (WEDI). WEDI had the objective of reducing administrative costs in the healthcare system by promoting electronic claims submission.

It achieved its objective by requiring insurance carriers to reimburse healthcare providers more quickly for electronic claims than for paper claims, thus encouraging providers to submit more claims electronically.

As a result, the percentage of claims submitted electronically over the next five years more than doubled – making it harder for adjudicators to identify fraud and abuse attributable to unbundling, duplication, and global service violations.

According to a Congressional Report published by the General Accounting Office in 1995, it was estimated that as much as 10 percent of national healthcare spending was attributable to waste, fraud, and abuse (around $98 billion at the time).

The following year, the long-running Caremark Derivative Litigation case concluded – a case in which it was claimed the company’s board of directors had failed in their fiduciary duty of care to ensure the company’s compliance program was enforced.

Although cleared of “lacking good faith in the exercise of monitoring duties or conscientiously permitting a known violation to occur”, the company settled multiple felony charges against it by paying $250 million in civil and criminal fines.

The relevance of this case is that Caremark’s primary operations were providing patient care and managed care services; and, although the company had implemented compliance policies to prevent breaches of Anti-Referral Payments Laws, a series of violations resulted in shareholders claiming the board of directors had failed to adequately enforce the policies and, as a result, exposed the company to regulatory fines.

This accusation was not lost on the HHS’ Office of Inspector General (OIG).

OIG Publishes First Model Compliance Plan

The year after the conclusion of the Caremark Derivative Litigation case, OIG published its first model compliance plan (62 FR 9435-9441). Although aimed at clinical laboratories, the model compliance plan consisted of seven “compliance plan elements” that subsequently evolved into “the seven fundamental elements of an effective compliance program” in later compliance plans for hospitals, home health agencies, hospices, and nursing facilities.

The primary objective of the plan is fairly transparent. In the preamble to each of the plans, OIG states “many providers and provider organizations have expressed an interest in better protecting their operations from fraud and abuse through the adoption of voluntary compliance programs.” The word “fraud” is repeated a further twenty-eight times in the compliance plan for hospitals (63 FR 8987) and the compliance plan for nursing facilities (65 FR 14289).

It is also noticeable that, from the second plan onward, each plan includes a footnote stating “recent case law suggests that the failure of a corporate Director to attempt in good faith to institute a compliance program in certain situations may be a breach of a Director’s fiduciary obligations” – referencing the Caremark Derivative Litigation case. Clearly, OIG wanted to send the message that, if a voluntary compliance plan was implemented, oversight of the plan was expected.

The biggest influence for the creation of the seven elements of a compliance program (fraud prevention) is sometimes overlooked. This is not necessarily a bad thing because – around the same time – the passage of HIPAA introduced fraud controls and transaction standards that made it harder for healthcare providers to defraud or abuse the system. However, the seven elements can be adapted for more positive purposes than preventing, detecting, and responding to fraud.

What are the Seven Elements of a Compliance Program?

The Seven Elements Of A Compliance ProgramSince the first appearance of the seven elements, some versions have been amended or extended to meet organizational or regulatory requirements.

For example, when the Affordable Care Act made a compliance program a requirement of Medicare participation for some healthcare providers (42 CFR §483.85), an element was added that prohibits organizations from delegating discretionary authority to individuals who “the organization knew, or should have known through the exercise of due diligence, had the propensity to engage in criminal, civil, and administrative violations of the Social Security Act.”

However, as mentioned in the introduction to this article, many organizations that have implemented a compliance plan voluntarily still use the seven elements of a compliance program in their original format.

Please use the form on this page to arrange to receive a free copy of the HIPAA Compliance Checklist to use with the seven elements of a compliance program.

#1 Implement written policies, procedures, and standards of conduct

The best HIPAA compliance softwareThe seven elements of a compliance program are often depicted as a linear “start-to-finish” program or as a wheel that starts revolving again when it is completed its first cycle. Neither depiction is entirely accurate, as the seven elements of a compliance program have to integrate with each other at all times to make the program work effectively and facilitate improvements to the program.

The first of the seven elements of a compliance program is a suitable example of why it is important to view a compliance program holistically because it calls for the development of standards (etc.) under the direction of a compliance officer. Yet organizations are not advised to designate a compliance office until element #2:

“Every compliance program should develop and distribute written compliance standards, procedures, and practices that guide the facility and the conduct of its employees throughout day-to-day operations. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and operational managers.”

If you view the seven elements of a compliance program as a linear program, you could be confused when the second element instructs you to designate the compliance officer you need to complete the first element. You might also be confused if you view the compliance program as a wheel, because it means you will need to rotate the wheel counter clockwise from #2 to #1.

#2 Designate a compliance officer and compliance committee

The temptation with element #2 is to delegate the role of compliance officer and the membership of a compliance committee to members of the same HR, legal, or operations teams or department heads of these teams. This can be a mistake if (for example) the legal team does not understand the real-life challenges of compliance in the workplace.

While it is a good idea to head the compliance committee with a person of authority, it is beneficial to include personnel with public-facing roles (i.e., healthcare professionals) and a mixture of personnel from IT, security, and administration who can provide insights on which policies will work and which won’t without changes to working practices.

#3 Conduct effective training and education

Integrating training and education into a compliance program should not be difficult for most organizations in the healthcare industry, as the majority are required to comply with the HIPAA training requirements, while some are also required to provide annual compliance training as a condition of participation in the Medicare program.

Of significance, in the original seven elements of a compliance program, OIG notes that the continual retraining of personnel at all levels (emphasis added) is a significant element of an effective compliance training program. Along the same lines, OIG adds that adherence to the elements of the compliance program should be a factor in evaluating the performance of managers and supervisors.

#4 Develop effective lines of communication

The development of effective lines of communication is pivotal to the seven elements of a compliance program because effective lines of communication are necessary for members of the workforce to raise questions, report violations, and provide feedback on corrective action plans that may necessitate amendments to policies and procedures and further training.

Ideally the creation and maintenance of effective lines of communication between the compliance officer/committee and the workforce should include a hotline or anonymous reporting system to receive questions, reports, and feedback. Organizations should also adopt procedures to protect the anonymity of complainants and to protect whistle-blowers from retaliation.

#5 Conduct internal monitoring and auditing

This element of an effective compliance program provides an opportunity for executive officers to demonstrate oversight by requesting compliance reports and audits from the compliance officer. In healthcare environments, these reports and audits should be conducted regularly to comply with the HIPAA requirement for regular risk analyses and be available at all times for executive review.

If executive officers participate in this element, it also provides an opportunity to extend lines of communication “from the top to the bottom”. Although it is not always practical to have members of the workforce communicate directly with executive officers (and vice versa), the involvement of executive officers demonstrates a commitment to compliance throughout the entire organization.

#6 Enforce standards through well-publicized disciplinary guidelines

Most organizations distribute disciplinary guidelines at the point of training. Indeed, in the healthcare industry, the standards relating to training and sanctions are almost adjacent to the Administrative Requirements of the Privacy Rule – so it is rare that an explanation of the organization’s sanctions policy is not included in initial HIPAA training.

With regard to enforcing standards, it is important that sanctions are applied fairly. If one group of the workforce is sanctioned more often or more harshly than another group for no justifiable reason, executive officers need to find out why. While it may be the case that one manager is enforcing standards over-zealously, it may equally be the case that another manager is allowing the workforce to take shortcuts with compliance “to get the job done”.

#7 Respond promptly to detected offenses and undertake corrective action

When the seven elements of a compliance plan were originally published in the 1990s, this element focused almost entirely on detecting fraud, reporting it, and enforcing sanctions or implementing measures to prevent it from happening again. With fraud prevention being a less important objective of a compliance plan than it was twenty-five years ago, this element can be used to monitor the effectiveness of the compliance program and improve it where necessary.

For example, if an offense has occurred due to a loophole in a policy (element #1), a lack of training (#3), a communication failure (#4), or a monitoring issue (#5), the compliance officer (#2) can evaluate the existing policies, procedures, and standards, and adjust them as necessary (#7). If the offense has occurred due to the actions of a non-compliant member of the workforce, it may be necessary to increase the penalties in the sanctions policy (#6) to be more of a deterrent.

The Challenges and Benefits of Adopting a Compliance Plan

Software For Compliance OfficersAdopting the seven elements of a compliance plan can be challenging for an organization starting from scratch. It can be difficult to get leadership buy-in because compliance is not perceived as a revenue generator, it can be difficult to define compliance roles in a complex regulatory environment, and it can be difficult to pull everything together with limited resources.

In healthcare environments, these challenges are mitigated by the fact that many of the elements are – or should be – already in place. HIPAA-covered entities should have developed policies and procedures to comply with the Privacy Rule, have a training and sanctions program up and running, and have procedures for conducting internal audits and responding to data breaches.

All that needs to be done in many healthcare environments is for the compliance officer to bring together the seven elements of a compliance plan into one integrated plan. When managed effectively, the plan will help organizations develop a culture of compliance that can help to reduce costs (i.e., regulatory fines), enhance the organization’s operations (i.e., through improved communication), and advance the quality of healthcare.

This final benefit of adopting a compliance plan is one many organizations are only starting to realize as it has only recently been demonstrated that, when patients believe PHI will remain confidential, they tend to be more forthcoming about healthcare issues. This enables healthcare professionals to make better-informed diagnoses and prescribe more effective courses of treatment, which results in better patient outcomes, satisfaction scores, workplace morale, and staff retention.

Get Help Developing Your Compliance Plan

Multiple sources on the Internet offer help with developing a compliance plan. One of the best is the HHS’ Office of Inspector General compliance guidance web page which includes updated guidance on the seven elements of a compliance program in its General Compliance Program Guidance document.

However, if your organization is a multi-disciplined Covered Entity or Business Associate, and you need more granular help developing a compliance plan, it may be worthwhile reviewing our HIPAA compliance checklist.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Seven Elements Of A Compliance Program appeared first on The HIPAA Journal.

How To Become HIPAA Compliant

Posted by HIPAA Journal

One of the simplest ways how to become HIPAA compliant is to adapt HHS’ “The Seven Fundamentals of an Effective Compliance Program” to address compliance challenges identified in a HIPAA risk assessment. Thereafter, it can be beneficial to take advantage of HIPAA compliance software in order to maintain a compliant workplace.

7 Steps for HIPAA Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2025. Here is a summary of the elements, which we outline in more detail in this guide.

  1. Develop policies and procedures so that day-to-day activities comply with the HIPAA Privacy Rule.
  2. Designate a privacy officer and a security officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

 

How To Become HIPAA Compliant

The best HIPAA compliance softwareYou can also read more about the background and history of the Seven Elements here. You might consider using HIPAA compliance software which has been designed to use the seven elements framework and can simplify and automate compliance, and provides comprehensive risk management processes.

Step 1: Why HIPAA Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing HIPAA Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the HIPAA Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered entities should ensure HIPAA Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Step 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Step 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make HIPAA Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

HIPAA Security Rule training must be focused on protecting PHI in all formats and even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Step 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Step 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important to identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Step 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of a loved one being the victim of medical identity theft and the consequences of data breaches can encourage workforce compliance more than the threat of refresher training.

Step 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post How To Become HIPAA Compliant appeared first on The HIPAA Journal.