Case Study

In June of 2010, the non-profit Hospice of North Idado (HONI) had one of their laptops containing PHI (Protected Health Information) stolen.  Because the PHI was not encrypted, they were required by HIPAA to report the breach.  The ensuing investigation resulted in HONI agreeing to pay a $50,000 settlement to the HHS Office for Civil Rights (OCR).  It’s important to note that the fine wasn’t a direct result of the breach.  What was found during the investigation was that HONI had not conducted a risk analysis nor had they put in place policies and procedures regarding the security of PHI when using mobile technology, both requirements of the HIPAA security rule. 

What Could Have Been Done?

HONI could have avoided this situation by employing encryption technology to protect all of the PHI housed on their computer systems.  Use of sufficient encryption protocols, releases a covered entity from the requirements of the Breach Notification Rule. Even with encryption in place, however, a risk analysis and security policies and procedures are required by HIPAA.  OCR has released information on securing mobile devices, which can be found here.

A risk analysis is required and HIPAA notes that, to follow it, a covered entity must:  “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”  What HIPAA does not dictate, however, is exactly how the analysis must be conducted.  Further complicating things is the distinction between specifications that are “Required” vs. “Addressable”.  A covered entity must do things that are required.  If a specification is only “addressable” according to HIPAA, an entity can determine that it is not reasonable and appropriate for their situation/organization.  However, they must document why this is the case.

What Should Be In a HIPAA Risk Analysis?

There are many methods of performing a risk analysis and there is no single method that guarantees compliance with the Security Rule.  HIPAA does offer some guidance on what the analysis is required to include, however:

• Scope – The analysis must include all ePHI, regardless of storage (hard drive, CDs, laptops, cloud services, etc.)
• Data Collection – The entity must identify where ePHI is stored, received, maintained, or transmitted
• Identify and Document Potential Threats and Vulnerabilities – How might the security of the data be compromised?
• Assess Current Security Measures – Evaluate security currently in place.
• Determine the Likelihood of Threat Occurrence – Considering all threat/vulnerability combinations, how likely are they each to impact security of PHI.
• Determine the Potential Impact of Threat Occurrence – How critical is each threat?
• Determine the Level of Risk – Assign a risk level to each threat occurrence.
• Finalize Documentation – Documentation is required, but no specific format is advised.
• Periodic Review and Updates to the Risk Assessment– The risk analysis process should be ongoing, but a frequency is not advised.  At a bare minimum, it should occur any time new technology is employed.

You can find the full version here: Guidance on Risk Analyis Requirements under the HIPAA Security Rule

Recognizing the burden for smaller providers, HHS also offers special guidance for them.

The original press release  for the HONI case.

Update 3/28/2014 – Tools just released by the goverment HIPAA entities to help you complete a risk assessment:  Find them here

Need help with your risk assessment?  Contact Us!