HIPAA Risk Assessment: Third party vs self-assessment
Although the U.S. government allows healthcare providers under $5 million in annual revenue to perform a risk assessment themselves as part of the HIPAA requirements, is it a good idea? The alternative is to pay an independent third party to perform the risk assessment.
Many consider the Risk Assessment a necessary evil to avoid potential HIPAA fines. It is important to remember the fundamental intent of HIPAA; protect the patient’s data, maintain its integrity, and enable it to be available when needed. Making the effort to perform a quality risk assessment will better ensure you protect your patients and their electronic records, but also protect your practice and livelihood.
A fundamental aspect of a risk assessment is that it must be impartial in both identifying deficiencies and assessing risks. Therefore having a staff member perform the audit is much like a “self-fulfilling prophecy”. You will score yourself higher than the reality of the situation. There is a tendency to believe you’ll address that issue next week, or the chance of hacker targeting our practice is minimal because we are so small. But you will get busy and won’t get the issue corrected and cyber thieves are focusing on small practices because of their less capable defenses.
Practice managers and doctors often assume a self-assessment is quick, but if done properly, it’s a time consuming project. You may think it is less expensive to do a self-assessment, but it will cost more employee hours than a third-party audit. People also tend to forget the “lost opportunity” costs, that the employee could be working on other items to improve profitability of the practice.
The practice’s compliance officer faces difficulties in achieving a viable self-audit. They have to know which questions of the 400+ NIST questions to self-impose. For a small practice there are about 140 questions to be asked. They have to be qualified to perform the technical assessment and carve out the time to manage the project in an already overly busy job. They have to try to remain objective and NOT check boxes because they “think” the answer is yes. They must ask their technical provider for specific information about their network and computers and confirm it with valid reports from the technical provider. They need to know what to ask, proof that it is being done and know if what is being done is correct.
Hiring an independent third party may not be as easy as one thinks though. You must understand the “depth and breadth” of their capabilities and how the audit will be performed. Is it just them asking you questions and checking boxes, or will they “really look under the hood’? Ultimately, the practice is liable for loss or data and breaches. Are they sampling 10% of your network and computers or automatically checking all devices? Is a medical supplier or professional association the right third party, do they really know how to check all 10 areas of your practice for non-compliance? Can they be objective? HIPAA regulations now require far more than training awareness, policies and procedures and enforcement of those procedures. You now have to protect the data physically, digitally at rest and digitally during transit. You have to document and log most everything. You have to know about everything on your network and that it is not vulnerable and has not been breached. It has become a daunting set of tasks for a CIO, much less a practice manager or doctor.
Studies have shown, a third party performs such audits more objectively. They should have a broader and deeper understanding of the current regulations, and what to ask and what to look for. Their experience gives them knowledge of common deficiencies, current trends and vulnerabilities. As a professional service the third party should bring best practices to help raise the standard for the practices everyday operations in all four areas of the HIPAA regulations. Third party audits provide a new set of eyes to view the operation. Often seeing issues and areas of improvement that the staff has simply become accustom to and overlooks in their day-to-day routine and even during a self-assessment.
The ever increasing focus is on cyber-crime. Hackers are using more sophisticated techniques to steal patient data because of its high value on the black market. Small practices are being targeted at an alarming rate because of their less capable defenses. Do they have tools to discover ALL devices on your network, including the network components? Do they have capabilities to check the compliance of such devices? Can they provide you a single report that is clear and easy to understand with actionable information that will enable you to efficiently correct deficiencies? Can they provide continuous security monitoring of your networks and systems.
The goal isn’t to get a gold star on your HIPAA audit, it’s to protect your patient’s PHI and not have a breach or loss of data leading to a large, potentially crippling, fine for non-compliance.
The most significant impact of a data breach for practices is the loss of patients’ trust in the provider’s ability and willingness to properly protect their personal information. A third party audit gives credibility to the practice’s intent to protect the patient’s data and should help the practice better protect the data.
For more information on HIPAA, HITECH and Cyber Security and Breaches visit our web site at http://thirdrock.com.