Recently, the Department of Health and Human Services released an interactive security risk assessment tool intended to assist employers who sponsor self-insured group health plans in complying with their HIPAA security rule obligations. As background, HIPAA requires self-insured group health plans and their business associates to protect the confidentiality, integrity and availability of their electronic protected health information (ePHI). Most importantly in this regard, the law requires that these plans conduct a thorough and accurate assessment of the potential risks and vulnerabilities of their electronic ePHI. The requirement for a group health plan to conduct a security risk assessment has been in place since the HIPAA Security Rule was promulgated in 2003; however, very few group health plans have conducted security risk assessments for a number of reasons. In a recent HHS audit of covered entities, 20 of 35 health plans and 47 of 59 health care providers had not conducted a complete or accurate security risk assessment.
With HHS audit activity increasing and the potential for significant enforcement penalties, it is more important than ever for employers to make sure they have HIPAA privacy and security compliance covered. For example, last year the HHS announced a $1.2 million settlement with the Affinity Health Plan in connection with a HIPAA breach resulting from returning a leased copy machine without “wiping” the hard drive containing ePHI of over 340,000 health plan members.
The new HHS risk assessment software and toolkit can be accessed at http://www.healthit.gov/security-risk-assessment, and includes a user guide and tutorial video.
Security risk assessments are a key component of a covered entity’s or business associate’s HIPAA compliance program, which should include the following elements required by the regulations: HIPAA privacy and security policies, breach investigation procedures and notification policies, initial and refresher training for workforce members, and updated business associate and subcontractor business associate agreements with third parties and vendors.
HIPAA privacy and security rules also apply to health care providers and their business associates.