The Reward of HIPAA Risk Assessment
By Julie Knudson
For The Record
Vol. 26 No. 9 P. 22
With the March release of a new security risk assessment (SRA) tool—the result of collaboration between the Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR)—provider organizations now have a new way to identify potential risk areas and develop strategies to mitigate them. The tool isn’t perfect, but experts say it’s a good start.
Years in the Making
Four years ago, the ONC developed, alongside the regional extension center program grantees, a spreadsheet to help health organizations walk through a risk assessment. “It was an awareness-raising tool,” recalls Laura Rosas, JD, MPH, a senior advisor to the chief privacy officer at the ONC, adding that those first four dozen questions, which were intended to provide guidance to the grantees, would later form the building blocks of the new SRA tool.
Around the same time, the OCR was working with the National Institute of Standards and Technology to develop an SRA tool dubbed the security content automation protocol. “It’s still available on our website,” Rosas says. “There are about 800 questions for a large organization and about 600 for a small one, so it’s very thorough, but also overwhelming for a small provider practice.” As the tools began to receive wider use, a more targeted need emerged. “There was clearly a need for a much more robust tool for the smaller organizations that were the focus of the regional extension center program,” she says.
Community health centers, rural clinics, and critical access hospitals—small provider groups, often with limited resources—were clamoring for something more in tune with their needs. “We began to explore how we could work with the OCR to develop a more robust tool that was not based on an Excel spreadsheet, but was actually an application,” Rosas says. Over the last couple of years, the ONC has worked closely with the OCR to develop the current SRA tool using those early batches of security content automation protocol and regional extension center questions as a foundation. “We sat down, we rolled things up, we tried to consolidate, and we tried to reduce some things that would be redundant for small organizations but may be perfectly reasonable for a large organization,” Rosas says.
Those efforts parlayed into an application designed to leverage that content and provide context for providers walking through the risk assessment process.
The new SRA tool is intended to help organizations connect risks and remediation steps, and answer tough questions such as “What are the threats and vulnerabilities if I don’t conduct an assessment?” and “What safeguards can be implemented?”
The tool is limited in how specific it can be. “I know people always want more specificity, but health care is extremely diverse,” Rosas says, adding that organization size and type are just two parameters among many. “We’ve tried to hit a balance between specificity and flexibility, which is actually how the security rule is supposed to be based.”
The Real World
Having spent several months in the hands of organizations, the SRA tool is generating feedback from its target audience. “It’s designed for the small practices and those who have had difficulty determining what a security risk assessment is,” says Rita Bowen, MA, RHIA, CHPS, SSGB, senior vice president of HIM and privacy officer at HealthPort, who believes some users haven’t completed a thorough risk assessment but still check “yes” when it comes to gauging compliance. For those providers, the tool allows them to conduct a risk assessment and cover their security processes at least at a basic level. “Now there’s going to be many [organizations] that are more advanced, and they’re going to go beyond that based off of their needs, but I think that this at least covers the basics to say, ‘Yes, I have hit the core minimum,’” she says.
Terry Edwards, president and CEO of PerfectServe, says the SRA tool is comprehensive, sports an organized structure for different regulation elements, asks appropriate questions, and allows for additional comments about safeguards in each of the appropriate areas. However, he describes the navigation when using it on an iPad as “horrendous,” noting that the time commitment to complete an assessment—already a significant undertaking—could become too much for users to bear. “This is the kind of thing where I could see a small or midsized practice administrator becoming overwhelmed with it and getting frustrated with it because of the challenges around navigation,” Edwards says.
In fact, the tool’s intended audience—small and midsized practices with up to 10 practitioners—may have the least amount of time to make use of it. “Providers in small clinics and in small care settings, they’re actually very frustrated because they’re looking for something to make their jobs easier, not something just to add more work to their day,” says Harry B. Rhodes, MBA, RHIA, CHPS, CDIP, CPHIMS, FAHIMA, director of HIM practice excellence at AHIMA. “Adding additional functionality to future iterations would be something this time-starved group would welcome.”
Organizations that make changes based on a first assessment may find it difficult to determine whether the work paid off, Rhodes says. “You can’t really do a reassessment and have it compare back to the one before unless you print out the original,” he says. Rather than adding new data to compare with earlier benchmarks, the tool requires users to type over the information entered in the previous assessment. Printing and comparing, Rhodes says, is an inefficiency smaller provider groups have scant time to support.
Rosas says the tool does provide the necessary avenues. “There is an audit feature which documents the changes. Also, printing it out time/date stamps the assessment,” she notes. “If we didn’t allow users to change the information, then the tool and the report would be very unwieldy.”
Bowen admires the SRA tool’s simplicity. Even small practices, where deep security knowledge often is not a strength, shouldn’t have much trouble utilizing the tool. “It’s simple enough for a lay person that may not be totally ingrained in the security processes to understand,” she says, adding that the tool will help users “ask the right questions or research the correct components” even if they haven’t adopted an EHR or other complex functions such as sharing information on a patient portal. “This helps them identify the questions they should be asking to ensure that privacy and security.”
For hospital systems still reliant on legacy data platforms and paper records, the SRA tool must be augmented by additional solutions designed to determine risk areas, says Robert Lynch, MBA, president of EvriChart. “[The tool] needs to be part of a broader security risk assessment plan,” he says. Hospitals operate within a wide range of storage requirements, some mandating that records be kept for many years (as in the case of infants), but the tool “is not going to identify a noncompliant paper storage facility, for example,” Lynch notes, adding that other methods of identifying potential security weaknesses and possible compliance gaps are necessary to ensure records in all their forms are properly protected.
Edwards says provider organizations likely will want to treat the tool like a living document. “To comply with HIPAA isn’t a once-and-done thing,” he says, noting that the process’s ongoing nature lends itself to a tool that can be used over time. In that regard, Edwards believes the SRA tool would be more compelling if it could upload and share data across multiple devices, a capability the current version doesn’t support.
Unexpected User Base
Given the SRA tool’s intended audience, it may be somewhat surprising to see so many larger organizations checking it out. But with the increasing emphasis on security and data protection, it makes sense that provider groups are eager to leverage every available resource. “I think probably the biggest reason is that they would like to do more risk analysis internally or augment their external assessments with their own internal analysis,” says Mac McMillan, FHIMSS, CISM chairman, CEO and cofounder of CynergisTek. Another potential reason is that larger groups may be evaluating the tool’s usability for smaller physician practices or other affiliations that fall under the organization’s umbrella. “This is an appropriate application of the tool, as it was developed for this community,” he says. “Hopefully, at this juncture it is not because they actually think this is an appropriate tool for their environment.”
It’s a common assumption that larger health care organizations, which typically boast more available resources, make regular use of outside experts to manage their security posture and risk profile. However, the Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security, released earlier this year, indicates otherwise. “They actually break down the number of people surveyed that were doing assessments manually … and it was interesting that the number of people going out to consultants or IT experts is very small,” Rhodes says. In fact, for those organizations that reported conducting and documenting postincident risk assessments as required in the Final Rule, the largest group (34%) said they used a manual process or an internal tool.
“If a firm in this basket is able to leverage a free tool that may help in their quest to remain in compliance, you can bet they’re going to use it,” Rhodes says. “Organizations opt for manual and internal tools, so one that is free and comprehensive would get their attention.”
Angela Youngberg, a partner at Waller, isn’t surprised large clinics and hospitals as well as small practices are using the new tool. “This tool fits everyone,” she says. Larger organizations may pull more actionable information out of the tool because “they’ll have the personnel to really dig into this and get it implemented,” she says. “Larger providers may use it for more frequent assessments.” Having additional resources to conduct granular and routine assessments may be another factor driving larger organizations to deploy a tool that was originally designed for smaller facilities.
On the other hand, Youngberg says small providers may use the SRA tool to help them determine where and when they need to seek additional expertise.
Tool Use ≠ Compliance
It’s the nut of the question for many providers: Does successful completion of a risk assessment using the SRA tool qualify an organization as being compliant? “The first bit of guidance is to understand that a risk assessment does not make you or your program compliant,” McMillan says. “Risk analysis is a process to assist organizations in understanding where they have risks and where their program [compliance] may be weak and in need of shoring up.”
Correctly assessing risk areas may identify what needs repair, but the assessment itself doesn’t actually resolve potential security or compliance issues. A well-executed assessment does allow organizations to “accurately identify risks so that they can inform policies, procedures, and controls appropriately,” McMillan says.
Performing an SRA and mitigating the findings is part of the meaningful use mandate, Rosas points out, adding that the SRA tool “is only as worthwhile as the time and effort someone puts into it.” In essence, the tool is a means to an end, not the end itself. “If someone has actually done a risk assessment and has a report, and really has tried to mitigate those findings that they have, then they will have probably met that [meaningful use] measure,” she says.
Youngberg, who recommends providers recognize the tool’s limitations, says it can be a useful complementary piece to go with the expertise of internal experts or outside consultants. “If you don’t have the sophistication, the time, or the personnel within your practice to really go through it in detail, then you need to get outside help,” she explains.
With the number of consultants available to assist with SRAs, even small organizations with few internal resources can leverage the tool’s usefulness as a starting point and then coordinate with an outside expert if necessary, Youngberg adds.
— Julie Knudson is a freelance writer based in Seattle.
Assessment vs Analysis
User comments posted on the Office of the National Coordinator for Health Information Technology’s (ONC) website have raised an issue that has less to do with the new security risk assessment (SRA) tool’s usability and more to do with its name. Provider organizations are noting the difference in the language used in the SRA’s name and the actual HIPAA security rule; the tool opts for “assessment” while the rule describes it as “analysis.”
In an attempt to clarify the issue, Laura Rosas, JD, MPH, a senior advisor to the chief privacy officer at the ONC, says the terms are interchangeable. “If you actually look at the HIPAA security rule, it says, ‘Perform a security risk analysis, then perform an assessment of the risk,’” she says.
Rosas says the reason for initially referring to it as an assessment was because providers at the regional extension centers and others had dubbed it as such. The tool’s creators went back and forth internally, then finally settled on assessment. “We thought, ‘Let’s name it a security risk assessment because that’s what everyone’s calling it and if we say analysis, they’ll be confused,’” she explains. “Now everyone has moved to analysis, which I think is good, and which is what’s in the statute.”
Although the terms are intended to mean the same thing, Rosas says there’s a good chance the tool eventually will be renamed to reference analysis.
Many organizations, even those with relatively few providers, are keen on the idea of expanding the new security risk assessment’s scope. “We have received a lot of comments about having a multisite tool,” says Laura Rosas, JD, MPH, a senior advisor to the chief privacy officer at the Office of the National Coordinator for Health Information Technology.
While the current version is able to support multiple people accessing the same tool, it’s designed for only a single site. Rosas has spoken to numerous organizations about potential workarounds to use the tool at multiple sites, but hopes it becomes a moot point in the near future. “It’s something we’re taking under advisement for the second version to see if we actually could create a multisite tool,” she says. “I don’t know if that’s possible with the current version, and how much coding that would take, but it is definitely on my short list of things to explore.”