Jill Callahan-Dennis, JD, RHIA, Health Risk Advantage
Introduction and Background
As part of their preparations for compliance with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations need to compare their current information-handling and information-disclosure practices to the requirements of HIPAA's implementing regulations. Both the final privacy rule and the proposed (as of the date this was written) information security regulations speak to the need for performing a risk assessment-often referred to as a gap analysis, but the scope of a gap analysis is probably narrower, as discussed below-to identify areas of noncompliance and targets for change.
But beyond the HIPAA requirements, there are a number of good business reasons for performing a risk assessment of the organization's computer-based and paper-based information systems. System weaknesses can subject the organization to liability for breaches of confidentiality and invasions of privacy. Inappropriate uses or disclosures of information can result in negative publicity, which can drive patients to choose other healthcare providers out of concern for their privacy. System flaws and "holes" can result in corruption or loss of vital data or inappropriate alteration or manipulation of data.
On a variety of levels, it simply makes good sense to conduct a risk assessment of the healthcare organization's information systems and to use the results in developing strategies for HIPAA compliance.
What Are the Goals of a Risk Assessment?
We know that we need to assess the risks associated with our health information systems. Vendors have noticed this need as well: an Internet search with the search terms "privacy risk assessment" and "HIPAA gap analysis" will yield a long list of consultants and vendors offering these services to healthcare organizations. There are many similarities between the general approaches to risk assessment or gap analysis being marketed, but there are also important differences. Before committing to any particular approach, the healthcare organization needs to identify its own goals and expected outcomes, or "deliverables," for the risk assessment.
This paper uses the term "risk assessment" to describe an evaluation of the potential risks associated with how the organization collects, uses, manages, and discloses health information. The term "gap analysis" refers to analyzing the organization's information-handling practices against the requirements of HIPAA and identifying gaps between current practices and required practices under HIPAA.
In a sense, gap analysis is an important part of any information risk assessment in a healthcare organization because HIPAA is a framework within which we must all work. However, there are benefits to looking at a broader set of potential risks than merely HIPAA noncompliance. For example, it is possible to be in compliance with HIPAA and still have important vulnerabilities or system weaknesses that could lead to liability.
In selecting an approach to use in conducting a risk assessment or gap analysis, the healthcare organization needs to determine the scope of the activity: Is this something we are doing strictly to comply with HIPAA, or do we want a broader focus in which system weaknesses that are not addressed by HIPAA requirements are also discovered?
Below is a sampling of some possible goals for any health information system risk assessment:
- Identify all areas of noncompliance with HIPAA's requirements (technical, procedural, training, administrative, and so on-this is the gap analysis)
- Identify computerized and paper-based health information system vulnerabilities beyond the scope of HIPAA (for example, licensing violations, cultural factors predisposing the system to problems, and so on)
- Evaluate weaknesses that have led to breaches of confidentiality in the past, as documented through claims, lawsuits, occurrence or incident reports, and patient and family complaints or concerns
- Establish an up-to-date inventory of all hardware and software resources
- Map the internal and external flow of protected health information
Some healthcare organizations will conduct the risk assessment entirely on their own by using existing resources and in-house talent. Others will prefer to include external resources, to provide an objective point of view or some specialized expertise that is not available in-house, in their assessment. Regardless of your approach, it is important that the task force or committee coordinating the risk assessment be informed of the organization's goals for the assessment. Putting those goals into writing as a mission statement for the group is an important, and often overlooked, first step.
Once the objectives are agreed on, a team can be established to decide the details of the approach and to coordinate the risk assessment. The session handouts discuss the ideal qualifications and backgrounds of team members.
Resources for Performing the Risk Assessment
The handouts for this session present a sample protocol for performing a risk assessment. However, those embarking on an assessment should be aware that there are a variety of viable approaches. Teams planning their own risk assessment should evaluate these varying approaches to select a methodology that offers the best fit for their organization, or they can combine the most appropriate ideas from various methodologies to develop a customized risk assessment.
The purpose of this technical paper is to present a sampling of resources on and approaches to privacy risk assessments so that risk assessment teams can quickly identify their options and get started on this important task. This is not a complete listing of all related resources, and inclusion in this list does not imply endorsement by either AHIMA or Health Risk Advantage; however, the list is offered as a starting point for healthcare organizations seeking ideas on conducting an information system risk assessment.
An article by Tom Grove of Superior Consultant Company on planning for a successful HIPAA implementation, including gap analysis, is available at www.advanceforhim.com/pastarticles/mar26_01cover.html.
AXIOM systems has joined forces with Data Junction, a provider of e-business software, to offer HIPAA Junction, a visual data-mapping tool for use in assessing HIPAA compliance. It is available at www.axiom-systems.com/news/news5.html.
A description of Baylor College of Medicine's HIPAA compliance program, including their steering committee's activities, which include the development of a risk assessment questionnaire, is available at www.bcm.tmc.edu/compliance/feb01reged.htm.
Information about OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), a self-directed risk evaluation that focuses on information security but also has assessment tools relevant to privacy, is available at www.cert.org/octave/. This evaluation helps benchmark your organization against known or accepted good practices.
A PowerPoint presentation by Superior Consultant Company describes an approach to doing a HIPAA risk assessment and is available at www.chime.org/security/presentations/RiskAssessment.pdf.
The Web site of Cross Country Technologies' HIPAA product line is available at www.hipaahub.com/pages/services.html. They offer educational services and HIPAA compliance tools. Their HIPAA Quick Analysis is a gap analysis methodology designed around a series of interviews done by a team of consultants, with a review of related documentation, that results in a report about the organization's state of readiness for HIPAA.
A HIPAA risk assessment checklist developed by the Ohio Department of Mental Health is available at www.mh.state.oh.us/hipaa/hipaa-risk-assessment.html. It includes links to a document checklist to help their departments and organizations collect and revise all policies and procedures affected by HIPAA.
HIPAA EarlyView is a software-based self-assessment tool designed to help healthcare organizations and health plans assess their compliance with HIPAA's security regulations. It is available at www.nchica.org/activities/EarlyView/nchicahipaa_earlyview_tool.htm.
AHIMA has numerous resources for privacy officers and HIPAA compliance teams seeking to construct their own privacy risk assessment. The most relevant resources available from their Web site include the following:
- "Ready, Set, Assess! An Action Plan for Conducting a HIPAA Privacy Risk Assessment," at www.ahima.org/journal/features/feature.0105.1.htm (see the full citation under "References")
- "HIPAA on the Job: Conducting Your own Internal Assessment," at www.ahima.org/journal/features/feature.0005.4.html
- "Practice Brief: A HIPAA Privacy Checklist," at www.ahima.org; click the "resources" link, then "practice briefs"-published in June 2001
- "Performing a Baseline Security Assessment," an outline of a 2000 HIPAA conference presentation by Jayne Lawson, RHIA, at www.ahima.org/hipaa/handouts/info.security.lawson.html-although the title indicates a focus on information security (versus privacy), readers will find many good ideas to include in a privacy risk assessment
The Computer-based Patient Record Institute (CPRI) has a number of resources on privacy risk assessment, including new software. CPRI-HOST HIPAA Privacy and Security Assistant is a software tool to help organizations identify what they will need to do to prepare for HIPAA compliance. Information about the tool is available from CPRI-HOST.
Privacy and American Business - www.pandab.org
This association sponsors educational programs on business privacy topics, including conducting a privacy risk assessment. The association is not limited to healthcare and includes privacy officers from all types of business sectors.
WEDI - www.wedi.org
The Workgroup on Electronic Data Interchange also has information that will be of assistance in assessing privacy-related risks. Security Summit Guidelines, a document outlining key steps in assessing privacy and information security, is available at www.wedi.org/public/articles/HSSGuidelines.doc. This document focuses primarily on HIPAA's draft security requirements, but several sections are useful for privacy risk assessment and gap analysis.
Apple, Gordon, and Mary Brandt. "Ready, Set, Assess! An Action Plan for Conducting a HIPAA Privacy Risk Assessment," Journal of the American Health Information Management Association, June 2001. Also available at the AHIMA Web site at www.ahima.org/journal/features/feature.0105.1.htm.
Dennis, Jill Callahan. Privacy and Confidentiality of Health Information. San Francisco: Jossey-Bass Publishing, Inc., 2000. Chapter three and the appendix describe an approach to doing a risk assessment.
Grove, Tom. "Planning a Successful HIPAA Implementation." Advance for Health Information Professionals Online. Available at www.advanceforhim.com/pastarticles/mar26_01cover.html.
Jill Callahan Dennis is a principal of Health Risk Advantage, a Colorado-based risk management consulting firm. Jill provides risk management and health information management-related consultation to healthcare organizations and liability insurers nationwide. She served as chair of AHIMA's Legislative Committee in 1999 and 2000, two years in which the committee was focused on privacy-related legislation and regulation. She also chaired the Confidentiality Toolkit task force of the American Society for Healthcare Risk Management. She has a law degree from Loyola University of Chicago, a master's degree in administration from Central Michigan University, and a bachelor of science in medical record administration from Ferris State University. Jill is the author of the health law chapter of Health Information: Management of a Strategic Resource, published by W.B. Saunders, and of Privacy and Confidentiality of Health Information, published by Jossey-Bass Publishing, Inc. and AHA Press. She also is the author of one of the modules in AHIMA's Web-based training program on privacy. She is a frequent speaker on HIPAA implementation issues for healthcare organizations.
Source: AHIMA Convention Proceedings, October 2001