Published on February 19th, 2023 📆 | 7842 Views ⚑
1Latest round of OCR audits highlight HIPAA risk analysis and risk management shortcomings
https://www.ispeech.org/text.to.speech
Phase 2 OCR audit summary
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has released its latest report with findings from their 2016 and 2017 series of audits as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)/HITECH Privacy, Security, and Breach Notification Rules (HIPAA Rules).
In all, 166 covered entities (CEs) and 41 business associates (BAs) underwent audits against the HIPAA Rules. While compliance with breach notification and posting Notice of Privacy Practices (NPP) were found to rate well, most covered entities came up short in the remaining five areas that were audited. The majority of covered entities did not meet requirements for:
- Properly safeguarding protected health information (PHI)
- Ensuring the right of individual access
- Providing appropriate content in their NPP
And finally, the majority of CEs and BAs failed to adhere to requirements for risk analysis and risk management, despite provisions from the prior set of audits conducted in 2012. Ultimately, over 80% of audit ratings did not meet appropriate compliance activities for risk analysis and risk management.
Risk analysis and risk management audit background
Now, one may ask, âwhy are risk analysis and risk management requirements not being met for something thatâs been around for a quarter century?â The answer is: there has consistently been a failure to perform a risk analysis as defined in the OCR methodology. OCR has defined a nine-step process and recommends the use of NIST (National Institute of Standards and Technology) information security products to meet the HIPAA Security Rule Implementation Specifications for Risk Analysis and Risk Management. If this first step isnât taken, then there is a high likelihood that an entity will fall in the 80% of those who donât meet sufficient HIPAA risk analysis and risk management practices.
The following question will likely be, âOkay, so how do we follow protocol for conducting a risk analysis with merit and maintain an effective, ongoing risk management program moving forward?â First, donât do what most audited entities have done, which includes:
- Performing a âcheck-the-boxâ analysis that does not adhere to the nine essential elements of an OCR risk analysis.
- Many entities believe this option to be cost-effective. A more accurate term would be âinsufficient.â
- Assign risk responsibilities to in-house staff where identifying high security risks conflicts with their self-interests. Work can quickly become skewed and cover up legitimate risks.
The above tactics have a history of resulting in financial, operational, and reputational harm. Failure to invest in effective resources in the short term can render costs much higher in the long run.
Additionally, the healthcare industry has an extensive amount of legacy systems and processes that increase attack surfaces from both inside and outside actors. A comprehensive risk management program can make significant inroads into reducing or even eliminating risk that otherwise wouldnât be discovered without conducting an OCR-ready risk analysis and remediation.
Coalfire risk analysis and risk management methodology
Â
Risk Analysis
A Coalfire risk analysis focuses on providing clients with a defensible, OCR-ready, risk analysis and risk management plan that aligns and conforms with the HIPAA Security Rule Standards and Implementation Specifications including 45 C.F.R. § 164.308(a)(1)(ii)(A) and 45 C.F.R. § 164.308(a)(1)(ii)(B) and OCR âGuidance on Risk Analysis Requirements Under the HIPAA Security Rule.â
Several strategies are practiced by Coalfire in order to differentiate itself from the risk analysis and risk management practices that have been deemed insufficient in four out of every five OCR audits.
Requirement |
Other Practices (>80%) |
Coalfire Practices |
Thorough analysis of threats to PHI |
âCheck-the-boxâ assessment of HIPAA Rules requirements |
In-depth environmental analysis of all PHI assets |
Industry best practices for risk analysis methodology |
Home-grown processes |
Finely tuned methodology built on OCR and NIST requirements and standards |
Consultant expertise |
First- or second-year associate consultants handling other industry verticals |
Senior consultants with 5+ years specializing in healthcare risk |
OCR-ready reports |
Unfamiliar with OCRâs nine essential elements of a HIPAA risk analysis |
Reports accepted by OCR as reasonable and appropriate in addressing Risk Analysis and Risk Management requirements |
Partnership in cybersecurity |
âOne and doneâ project |
Multi-year deals with clients that recognize the value added to long-term Information Security Management Programs |
Â
Risk Management
Coalfireâs information security risk management methodology assesses the threat environment to determine potential vulnerabilities related to:
- Administrative Safeguards
- Technical Safeguards
- Documentation Controls
- Physical Safeguards
- Privacy Safeguards
Coalfireâs approach implements key provisions of the NIST Risk Management Framework (RMF) document compendium (e.g., SP 800-30, 37, 39, 53, and 66) as recommended by OCR. Additional threats and vulnerabilities related to the ePHI (electronic protected health information) environments, which do not have specific HIPAA references but are important cybersecurity concerns, will be assessed to ensure a âcomprehensive and thoroughâ set of deliverables.
The full audit report is available at HHS.
One Response to Latest round of OCR audits highlight HIPAA risk analysis and risk management shortcomings