Healthcare Risk Assessment !!EXCLUSIVE!!
Managing risk in the hospital setting is a difficult but vital practice. On any given day, the risks are enormous: Situations ranging from data breaches to medical errors and hazardous conditions can arise, jeopardizing human safety, compliance and finances, reputations, and more.
Healthcare Risk Assessment
Increasingly, your quality and risk managers or hospital administration may be offering education and training about how the facility performs and mitigates risk. But who, exactly, requires risk assessment, why is it necessary, and how can your organization better manage an effective program of risk assessment?
Every healthcare organization employee, administrator, and governing board member should know that risk assessment is mandated through the laws and guidelines of regulatory bodies. The U.S. Department of Health and Human Services (HHS) is perhaps the most widely known entity that requires and monitors risk compliance. Its Health Insurance Portability and Accountability Act (HIPAA) outlines breach and security rules that surround protected health information (PHI).
To comply with these HIPAA requirements, a hospital must perform a risk assessment of any potential breach to determine the probability of compromise of PHI, and it must perform a written risk assessment as to the vulnerabilities of electronic PHI.
Healthcare compliance is serious business with significant fiscal consequences. Penalties for regulatory noncompliance are steep in terms of monetary fines, exclusion from participation in federal healthcare programs, prison time, and reputational damage. Consider that:
Avoiding or mitigating legal breaches and monetary penalties is, of course, a huge incentive for including risk assessment in your healthcare compliance program. But besides the legal requirements and economics fueling its importance, there are other reasons to undertake the process. When issues are identified proactively through risk assessment and amended through the corrective action plan (CAP) process, patient safety and the provision of quality care are positively impacted.
The following are leading practices your organization may be employing when conducting effective risk assessment. No matter your role, do your homework: Tap into resources such as CMS and OIG to understand risk. If your role requires participation in risk assessment, identify the risk areas most crucial to your compliance program.
symplr is the leader in enterprise healthcare operations software and services. For more than 30 years and with deployments in 9 of 10 U.S. hospitals, symplr has been committed to improving healthcare operations through its cloud-based solutions, driving better operations for better outcomes. Our provider data management; workforce management; compliance, quality, and safety; and contract, supplier, and spend management solutions improve the efficiency and efficacy of healthcare operations, enabling caregivers to quickly handle administrative tasks so they have more time to do what they do best: provide high-quality patient care.
The NIST HIPAA Security Toolkit Application, developed by the National Institute of Standards and Technology (NIST), is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.
We begin the series with the risk analysis requirement in 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements.3 An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.
All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.
RISK ANALYSIS (Required).Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Organizations should use the information gleaned from their risk analysis as they, for example:
Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
The security measures implemented to reduce risk will vary among organizations. For example, small organizations tend to have more control within their environment. Small organizations tend to have fewer variables (i.e. fewer workforce members and information systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability and integrity of e-PHI in a small organization may differ from those that are appropriate in large organizations.7
Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.
The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.
A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if the covered entity has experienced a security incident, has had change in ownership, turnover in key staff or management, is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure the e-PHI is reasonably and appropriately protected. If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed. Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels.8
The Security Series papers available on the Office for Civil Rights (OCR) website, , contain a more detailed discussion of tools and methods available for risk analysis and risk management, as well as other Security Rule compliance requirements. Visit for the latest guidance, FAQs and other information on the Security Rule.
Several other federal and non-federal organizations have developed materials that might be helpful to covered entities seeking to develop and implement risk analysis and risk management strategies. The Department of Health and Human Services does not endorse or recommend any particular risk analysis or risk management model. The documents referenced below do not constitute legally binding guidance for covered entities, nor does adherence to any or all of the standards contained in these materials prove substantial compliance with the risk analysis requirements of the Security Rule. Rather, the materials are presented as examples of frameworks and methodologies that some organizations use to guide their risk analysis efforts. 041b061a72