No risk analysis? That’s the root of all evil

The failure of covered entities (CEs) and business associates (BAs) to perform risk analyses “is the root of all evil that we see,” Abby Bonjean, Investigator for HHS’ Office for Civil Rights (OCR), Midwestern Regional Office, told an audience at the Healthcare Information and Management Systems Society (HIMSS) Privacy & Security Forum in Chicago. Alessandra Swanson, Supervisory Equal Opportunity Specialist (SEOS) Team Leader for the OCR, spoke with Bonjean and emphasized that the risk analysis is the foundation of the entire Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Security Rule compliance program. When investigating alleged breaches or performing routine audits, OCR investigators will expect to see an accurate and thorough analysis, along with documentation of actions taken to mitigate identified risks. Barry Herrin, a partner with Smith Moore Leatherwood LLP in Atlanta, spoke separately and weighed in with tips for responding to audits and complaints.

Risk analysis

Although compliance professionals may refer to a risk “assessment,” the OCR uses the term, “analysis,” to be consistent with the language in the HIPAA Security Rule. The failure to conduct a thorough analysis, or to conduct an analysis at all, is the main compliance issue that the OCR sees. A thorough analysis should be enterprise-wide; cover all electronic protected health information (ePHI) that the organization creates, maintains, or transmits; apply to all places in which information is stored, including mobile devices, medical devices, and servers; and cover risk to the ePHI during both use and disposal. An analysis should be updated when major changes, such as a merger, occur within an organization. Should a breach occur, OCR investigators will ask to see a copy of the risk analysis that had been performed prior to the incident. Herrin noted that entities should respond to OCR audits in the same way that a fifth grader would respond to a math problem. “Show your work, or no one understands why you made the decisions you did.”


Furthermore, CEs and BAs must take actions to mitigate the risks uncovered during an analysis. Investigators will ask to view risk management plans that were in place at the time that a breach occurred. Herrin notes that auditors may ask for information regarding safeguards in place, prior complaints, staff training, and other mitigating actions. Failure to mitigate risks within a reasonable timeframe can result in an enforcement action. For example, the OCR fined Concentra heavily when a laptop containing unencrypted health data was stolen. Although Concentra had identified unencrypted data as a security risk and began encrypting data in June 2008, it still had not completed the process when the laptop was stolen in November 2011. The provider paid $1,725,220 to settle privacy and security claims.

Breach analysis

CEs and BAs must notify patients of breaches unless the entities demonstrate a low probability that PHI was compromised. When attempting to determine whether a breach occurred, Swanson cautioned CEs and BAs to focus on the risk to the data, not the risk of harm to the individual. Herrin suggests first determining whether the affected information falls into an exception permitting a specific use or disclosure of data. If it does, there’s no need to perform an additional analysis.


Swanson also noted that, as of May 31, 2015, 49 percent of all breaches affecting 500 or more individuals resulted from theft; 20 percent of information was taken from laptops. According to Bonjean, “If I leave my laptop in my car, I just assume it’s going to be stolen. That’s how many of these cases we see.” Swanson touted encryption as a solution to theft-related problems. “It’s easy, generally inexpensive, and it’s probably the best way to prevent a breach.”