If you think a risk analysis is just another box to check on the HIPAA compliance to-do list, this episode might feel a bit like a reality check… with receipts. Using a real OCR settlement involving a phishing attack and nearly 2,000 patients’ data, this discussion digs into what regulators actually expect when they say “risk analysis.” Spoiler alert: it’s a lot more than running a quick scan and calling it a day.
In this episode:
Risk Analysis – Not a Checkbox, Not Optional – Ep 551
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Risk Analysis – Not a Checkbox, Not Optional
[00:41]Top of the World Ranch Treatment Center SRA Settlement
Phishing leads to a compromised workforce email account and ePHI accessed in March 2023. OCR resolution agreement for $103k and 2 Year CAP.
The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member’s email account. TWRTC concluded that the ePHI for 1,980 patients was compromised by the attack. OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule.
OCR Director Statement:
“In a time where health care providers and other HIPAA regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever,” said OCR Director Paula M. Stannard. “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”
[09:06]Slightly new wording in CAP
TWRTC shall conduct and complete an accurate and thorough risk analysis of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic (“ePHI”) it holds. This risk analysis shall incorporate all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by TWRTC that contain, store, transmit, or receive ePHI. As part of this process, TWRTC shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI that will then be incorporated in its risk analysis. The risk analysis will include vulnerability scans and penetration testing.
TWRTC shall develop an enterprise-wide risk management plan to address and mitigate
any security risks and vulnerabilities identified in the risk analysis specified in section V.A.1 above,
including any risks and vulnerabilities pertaining to the accessibility of ePHI. The risk management plan shall include a process and timeline for TWRTC implementation, evaluation, and revision of its risk remediation activities.
TWRTC shall annually conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of ePHI held by TWRTC and document
the security measures TWRTC implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding risk management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of this CAP.
Within thirty (30) days of the Effective Date, TWRTC shall review and, as necessary, develop or revise its written policies, procedures, and other written communications related to:
(1) Risk Analysis,
(2) Risk Management,
(3) Information System Activity Review, and
(4) Breach Notification,
TWRTC shall assess, update, and revise, as necessary, the policies and procedures at least annually or as needed.
[20:06]Minimum Content of Policies and Procedures
The policies and procedures subject to this CAP shall include policies and procedures that address the following Privacy, Security, and Breach Notification Rule provisions:
a. Risk Analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A), including provisions to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by TWRTC and to conduct the accurate and thorough assessment on an annual basis.
b. Risk Management – 45 C.F.R. § 164.308(a)(1)(ii)(B), including provisions to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
c. Information System Activity Review – 45 C.F.R. § 164.308(a)(1)(ii)(D), including provisions to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
d. Breach Notification – 45 C.F.R. §§ 164.404, 164.406, 164.408, including provisions to timely notify
(1) each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach,
(2) the media, and
(3) the Secretary.
e. Training – 45 C.F.R. § 164.530(b) and § 164. 308(a)(5), including
(1) provisions to train all members of TWRTC’s workforce on its policies and procedures with respect to PHI as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity, and
(2) implementation of a security awareness and training program for all members of TWRTC’s workforce (including management), to include periodic security updates, procedures for guarding against, detecting, and reporting malicious software, and procedures for creating, changing, and safeguarding passwords.
3. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All course materials shall be retained in compliance with section VII.
4. TWRTC shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
[27:13]Violations of policies happen – are you handling them?
Not new in the agreement but it makes for a good time to point out what violations mean – we have this problem all the time.
It is impossible to say that you have never had someone violate a policy. People say all the time they don’t have any sanctions applied in the last 6 years because they haven’t violated HIPAA. WRONG!
H. Reportable Events During the Compliance Term, TWRTC shall, upon receiving information that a workforce member may have failed to comply with its policies and procedures, promptly investigate this matter. If TWRTC determines, after review and investigation, that a workforce member has failed to comply with these policies and procedures, TWRTC shall notify HHS in writing within thirty (30) days. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:
1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
2. A description of the actions taken and any further steps TWRTC plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with its HIPAA Rules policies and procedures.
This is included to show them they need to actually implement and enforce the policies and procedures. This is the documentation we should all be keeping when there is any kind of policy violation.
[31:22]Key Takeaways:
- Phishing is still driving enforcement
- Email accounts remain high risk entry point
- Risk analysis must be comprehensive and documented
- Annual risk analysis is expected not every 2 to 3 years
- Inventory is critical – inventory of everything
- Vulnerability scanning and penetration testing are increasingly expected as a portion of the SRA not to serve as the entire SRA.
At the end of the day, the lesson from this settlement is pretty simple: you can’t protect what you haven’t identified. A real risk analysis isn’t a checkbox, a vulnerability scan, or a document you dust off every few years—it’s an ongoing process that tells you where your data lives, where your risks are hiding, and what you actually need to fix. Skip that step, and you’re basically flying blind… which regulators tend to notice.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
