Could it simply be a case of getting back to basics? It seems that a familiar theme emerging in HIPAA privacy and security compliance is the lack of proper risk analysis and risk assessment. This is gaining a lot of attention lately, with the preliminary results of the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) audits, which found deficiencies across the board in the area of risk analysis. Specifically, entities had difficulties in conducting thorough assessments and then taking action based upon the findings to remediate potential risks.
Earlier this year, the results of the 2012 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Advisory Solutions, found that an overwhelming 96 percent of respondents reported they conducted a formal risk analysis (the majority of which were performed using in-house resources). And yet, nearly 27 percent also reported they had experienced a breach of data within the past 12 months, up from 19 percent in 2010 and 13 percent in 2008.
Most recently, we reviewed the findings of the resolution agreements and monetary penalties handed down from HHS/OCR within the last two years, only to find the problem of inadequate risk analysis once again.1 . The OCR noted inadequate or incomplete risk assessment or security evaluation in five of the eight incidents during this time period. The amount of the fines in these eight cases were wide-ranging everything from $50,000 to $1.7 million.
These enforcement actions represent a small fraction of overall reported breach cases, but at the same time, it’s notable that 2012 has been OCR’s biggest year yet for enforcement actions and fines, totaling nearly $4 million. It’s entirely likely the trend will continue for 2013, and so the need to prepare becomes increasingly important. With self-driven tools like Kroll Advisory’s HIPAA Self Risk Assessment, the means to uncover and address risks are more readily available than ever before.
By Kroll Editorial Team
1 A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations and make reports to HHS for a certain period of time, and generally include some type of penalty payment. In other cases, a civil money penalty may be imposed for failure to reach satisfactory resolution.