Healthcare organizations and their business associates must be careful to avoid making mistakes with their HIPAA security risk analysis in case they ever undergo a compliance review or breach investigation by federal regulators, says privacy attorney Adam Greene.
"What I see a lot of - and it's both sad and frustrating - is that a covered entity or business associate might hire an outside security consultant to do a security risk assessment ... but what they end up getting is a gap analysis against the HIPAA Security Rule or another set of controls," he says in an interview with Information Security Media Group.
While a gap analysis can be helpful, "it's not the sort of risk assessment that the Department of Health and Human Services' Office for Civil Rights is looking for ... if there's an investigation, audit or breach," he stresses.
What OCR is looking for in a HIPAA security risk analysis "is threat/vulnerability pairings" involving protected health information, he explains.
"But what we sometimes see instead is a checklist approach of the different security rule requirements ... sometimes without even mention of 'threat,' 'vulnerability,' 'likelihood' and 'impact' - the terms that OCR guidance says must be part of any risk analysis."
Documentation Issues
Providing security risk analysis documentation to OCR when faced with a compliance review or investigation can also prove tricky, Greene notes.
For instance, a list of recommendations that grow out of security risk analysis aren't necessarily what an entity should turn over to OCR, he says.
"[Legal] counsel can play an important role in making sure you end up with deliverables that can be delivered to OCR while having a claim of privilege with respect to initial recommendations that may not have been ready for prime time and required some level of legal review and counsel," he says.
In this interview, (see audio link below photo), Greene also discusses:
Who should lead a security risk assessment; When an attorney should be part of a HIPAA security risk analysis; Other advice to improve security risk analysis practices.As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at OCR, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.