Risk Assessment for HIPAA and HITECH Act

January 2011

Subtitle D of the Health Information Technology for Economic and Clinical Health Act, known colloquially as “HITECH,” extends the Privacy and Security Provisions of HIPAA, previously applicable only to covered entities, to the business associates of covered entities as well.  The targeted outcome for both HIPAA and HITECH is to effectively reduce risks and vulnerabilities to a “reasonable and appropriate” level – a vague and subjective term which begs further consideration.

A useful method for assessing the “reasonableness,” “appropriateness,” and “effectiveness” of a HIPAA/HITECH program is to devise a focused risk assessment based on the framework provided by the HIPAA Security and Privacy rules.  While HIPAA guidelines provide discourse on the expected outcomes from an effective program, they are not always useful, nor where they designed, to tell the entity how to comply.

While this lack of clarity can be frustrating, a risk assessment provided by a third-party consultant can provide the discipline needed to objectively assess the entity against reasonable and appropriate standards by keying in on a few critical aspects of the plan:

Risks

By crafting a risk assessment plan of attack, an entity is given the tools to think through the “what-if” scenarios that yield insight into the true risks faced by the organization.  If we think of risk being a function of impact X likelihood, a third-party consultant can provide a useful assessment of potential risks and their impact, while Management can best assess the likelihood of the scenario.  Risk is best assessed collaboratively, combining the external view with internal knowledge of operations.

Design of Controls

Once risks are defined, a review of policies, procedures, and process yield the controls in place that “effectively” mitigate risks to a “reasonable and appropriate” standard.  Once again, the entity’s Management is best situated to identify processes in place, and the consultant is often better able to identify the controls inherent to these processes.  Not all controls exist as a neat checklist; the consultant can help identify the processes in place that mitigate risk – including those that Management may have overlooked.

Effectiveness of Controls

Just as not all controls exist as a checklist, not all checklists are controls.  Locked doors can be bypassed by propping them open, and system access controls can be circumvented by printing PHI to paper.  By designing tests of controls, the consultant can identify instances in which Management assertions about controls are not accurate, or not functioning as designed.

A well-designed risk assessment will likely leave the entity with more questions than answers.  Consideration of the likelihood/ impact of risks leads to discussion of cost/benefit of proposed solutions.  Short-term versus long-term strategies are considered within a well-defined risk environment.  Before long, an exercise that started as a compliance requirement has led to greater understanding of the business, and a basis for enterprise planning going forward.

For questions on this article, please contact your BNN advisor at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.