Security Risk Assessments: Critical regardless of practice size

In small- to-medium sized practices, there are necessarily fewer resources available for implementing the policies and procedures that will insure compliance with the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) offers resources for smaller practices, where legal counsel is unlikely to be on staff, and security experts are more likely to be contracted than employed.

In 2014, the Office of the National Coordinator for Health IT (ONC) in collaboration with HHS’ Office for Civil Rights (OCR) released a downloadable security risk assessment (SRA) tool to help guide practices through the assessment process.

Jordan Cohen, JD, an attorney with Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo in New York, New York, says the HHS tool is a good first step for smaller practices that want to conduct a risk assessment. He cautions, though, that the SRA is “only one tool, and the risk assessment is only one aspect of HIPAA compliance.”

The National Institute of Standards and Technology (NIST) also has a tool to help practices comply with the security rule portion of HIPAA, which Cohen recommends because it includes a risk assessment, as well as help with implementing the assessment and other requirements of the rule. There are also paid applications and consultants who can assist with the process. “Whether these tools are needed really depends on the size of the practice and the complexity of its systems,” he says.

Regardless of how a practice approaches completing a security risk assessment, Cohen says staff should participate. “Input from the practice’s workforce, especially its IT employees, is essential given their understanding of the structure and operation of the practice’s systems,” he says.

Practices have options when it comes to conducting a security assessment, but Kate Stewart, JD, attorney with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, in Boston, Massachusetts, says that, whatever tool is used to conduct the assessment, it is important to make sure it will meet the needs of the practice using it.

“You cannot find an off-the-shelf solution,” she says, because each practice is unique. Even if a practice used a particular tool three or four years ago, Stewart says, things have probably changed. Perhaps the practice has added mobile devices, or employees are now allowed to take laptops home, whereas they couldn’t at the time of the previous assessment.

Cohen concurs, adding, “Part of a risk assessment is understanding and documenting the threats to ePHI [electronic personal health information] that a practice faces.” For instance, a practice which hosts a patient portal application will need a far different security assessment tool than one that does not offer such a digital portal. “Assessing these threats may vary depending on the characteristics of the practice,” he says.

HIPAA does not mandate the frequency with which practices should conduct security assessments, saying, “Practices may conduct them annually, biannually or on a different schedule depending on their circumstances.”

In part, the situation should dictate the frequency of assessments. If there has been a security incident or breach, or if a practice is implementing new technology, a less intense, follow-up assessment may be warranted.

In 2015, HHS released an additional tool titled “

” which could be useful for practices conducting follow-up assessments.

The OCR recently announced an initiative to investigate breaches that involve the PHI of fewer than 500 people, making tools designed to help smaller practices determine their security risks especially timely.  Cohen says the OCR has been under pressure to more aggressively enforce the law, adding, “I would expect to see enforcement actions rise in the near future.”

“Smaller practices would be wise to invest time and resources to document HIPAA compliance, especially given the more aggressive enforcement position that OCR is taking,” says Cohen.