We take chances every day, in the firm hope of a payoff, no matter how small.
But if you’re a group health plan sponsor operating without a documented HIPAA risk/threat analysis you are taking an unnecessary risk with absolutely no reward—and a high likelihood of experiencing compromised protected health information (PHI) or electronic protected health information (ePHI).
Major causes of breaches
A snapshot of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website recently showed that 117 breaches affecting about 5.32 million people have been posted on the federal tally so far in 2022.
Phishing, compromised accounts (remote access) and unpatched vulnerabilities are the major threats to PHI/ePHI. Other examples of threats include computer virus/malicious code (e.g., malware, ransomware), human error/inadvertent acts of carelessness, unsecured electronic transmission, improper disposal of sensitive media, and lost or stolen laptops.
The Health and Human Services Office of Civil Rights (OCR) reported a 45% increase in Hacking/IT Incident breaches from 2019 to 2020. Ransomware accounted for 66% of 2020 Incident breaches. And according to the HIPAA Audits Industry Report only “small percentages of covered entities (14%) and business associates (17%) are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”
“Risk comes from not knowing what you’re doing.” ~ Warren Buffett
Health plans and their business associate vendors with access to protected health information have a responsibility to conduct a thorough risk assessment. But how do you protect against real-time and ever-changing threats to PHI/ePHI as HIPAA requires?
The answer is provided by Health and Human Services Office of Civil Rights (OCR) – it is through “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate.”
So, what does that mean?
A risk analysis considers a range of threats but also a range of possible solutions. To draw an analogy, If there is a threat of rain and you must be outside, you choose something to mitigate that threat such as an umbrella or a raincoat; on a sunny summer day when there’s a risk of harm from UV exposure, you use sunscreen, seek shade or wear a hat.
Locate the targets—yours in particular
In the realm of HIPAA, an organization must set out to identify and inventory the locations where PHI and ePHI are stored. There can be PHI present in HRIS systems, email, various benefits administration systems, applications, physical storage locations, cloud servers, networks, and websites, to name a few.
The risk analysis must be preceded by a complete inventory of all equipment, data systems, and applications that store, transmit, or receive PHI/ePHI.
Once inventoried, the organization weighs the likelihood/frequency, cost/impact, vulnerability, and mitigating controls of various types of natural, human, and environmental threats that may apply. These can be very specific to the organization—for example, if you are in California, earthquakes could be an environmental threat worth considering.
High risk threats should be mitigated through safeguards until the risk is lowered to an acceptable level, and the risk analysis itself should be well documented and shared with all involved parties responsible for protecting PHI/EPHI.
Heavy lifting
This sounds like a heavy lift, but once you’ve gone through the process it becomes easier, particularly if your organization develops a policy of regularly updating the analysis.
Not all risks in life can be avoided, but the cost of failing to consider known or reasonably anticipated threats to protected health information can be high. The consequences of a breach are expensive; in 2021 a health plan agreed to a $5.1 million civil monetary penalty and a corrective action plan to resolve possible HIPAA failures found after a 2015 data breach impacting 9.3 million patients.
The solution is to gather the necessary people and take the time to ensure that your group health plan’s information is as secure as possible, revisit the analysis periodically, consider new and emerging risks, particularly cybersecurity threats, document the process, and keep it on file.
It takes only a split second for things to go horribly wrong. Far better to plan for the worst, stay informed of the threats, and thoroughly assess the risks to your plan’s protected health information being compromised.
The essence of being lucky, after all, is preparation.