HIPAA 2020: Resolutions for the New Year

If you are a covered entity or business associate planning for HIPAA 2020, you can start or supplement the planning process by composing a list that is very popular come the end of each year – a New Year’s resolution list. A HIPAA 2020 New Year’s Resolution List can contain items that will make completion of the list something manageable, as opposed to a chore, or a bore. Some HIPAA 2020 resolutions are discussed below.

What are Some HIPAA 2020 Resolutions?

New Year’s resolutions can consist of items one looks forward to completing or doing (e.g., “fun” items), items one has been putting off doing; and items one needs to do for the sake of one’s health – personal or economic.

Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

An announcement to the effect that HIPAA will be abolished when the clock strikes midnight on January 1, 2020 might lead one to create some “fun” HIPAA 2020 resolutions – resolutions that include:

  • Resolve to forget about HIPAA training; it is no longer needed
  • Don’t worry about completing that security risk analysis – you no longer need to do it
  • Don’t worry about how secure your filing cabinets are – PHI no longer is a “thing!”

Sadly, trying to make these resolutions happen is not realistic. HIPAA, in fact, remains the law of the land as we go into 2020. Instead of trying to ignore HIPAA, or wishing that it magically disappears, your organization – whether you are a covered entity or a business associate – can make resolutions consisting of achievable, measurable goals that address specific aspects of your privacy and security compliance programs.

To that end, here are some practical, focused, and achievable HIPAA 2020 resolutions:

HIPAA 2020 Resolution #1: Conduct a Security Risk Analysis

The grist for the mill that is New Year’s resolutions comes from what did and did not work in the previous year. In 2019, security risk analyses “did not work” for many covered entities and business associates. 

Under the HIPAA Security Rule, performing a security risk analysis is required. Despite this black-letter requirement, a number of organizations that were fined for data breaches had not performed a security risk analysis, which, in turn, contributed to the breach.

Note that this particular resolution is another “r” word as well – it is a requirement. The Administrative Safeguards provisions in the Security Rule requires covered entities and business associates to perform risk analysis as part of their security management processes.

HIPAA 2020 Resolution #2: Develop a Risk Management Plan

The HIPAA Security Rule requires covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction) and business associates to implement policies and procedures to prevent, detect, contain, and correct security violations.

One of the policies that must be implemented is a HIPAA risk management policy.  A risk management policy is a required administrative safeguard under the HIPAA Security Rule.

HIPAA Risk Management Concepts – Vulnerabilities, Threats, and Risks

To understand what HIPAA risk management is, the following three terms must be understood: 

      • Vulnerabilities
      • Threats
      • Risks

Vulnerabilities are weaknesses or gaps in an organization’s security program that can be exploited to gain unauthorized access to ePHI. An example of a vulnerability is not having your data encrypted. 

Threats are things that can exploit these vulnerabilities and damage or destroy ePHI. Threats include malware, phishing schemes, and viruses.

Risk is the potential for damage or destruction to ePHI as a result of a threat exploiting a vulnerability

The three terms can now be put together in a single sentence: If your data is not encrypted (a vulnerability), there is a risk your ePHI may be damaged as a result of a malware attack (a threat).

Risk Management Probability and Impact

Every risk has both a probability and an impact

Risk probability is the chance, or likelihood, of a risk occurring. Risk impact is the cost, or damage incurred by a risk, if the risk occurs. 

Take the example of attending a baseball game. A spectator at the game runs the risk that he or she will spill a beer that he or she purchased. The probability of the risk is not non-existent (especially if the beer buyer is sitting in a full row and there is only a short distance between the person’s shoes and the end of the step the person is sitting on).

While the probability of the beer spilling isn’t insignificant (let’s call it 10%), the impact – the cost or damage  – is not that high. The person who bought the beer will have to purchase another and someone will have to clean the spill.

Let’s slightly change the facts. A foul ball strikes our beer-buyer, hitting him or her in the arm, and causing the beer to spill in the process. The probability of this chain of events actually occurring is pretty low – let’s say, less than one percent. The impact or cost, however, can be significant. As before, costs can include cleaning costs and the costs of a replacement beer. The costs in the foul ball victim hypothetical can be much greater. That person, as a result of being hit in the arm, may break his or her arm. The costs of a broken arm can include surgery and medication, and can also include intangible costs, such as pain and the inability to use the arm for a period of time.   

Putting it All Together

A HIPAA risk management plan should contain a risk analysis and a risk mitigation strategy.

The risk analysis is a listing of likely and unlikely risks, with both high and low impacts. In the analysis, risks with both the highest probabilities AND the highest impact are ranked highest on the list, while risks with the lowest probabilities and impacts are ranked lowest (at the bottom). 

The HIPAA risk management plan should contain a mitigation (or loss prevention) strategy for each item ranked on the list. A mitigation strategy is a series of steps designed to limit the probability and impact of the risk. If the risk to be guarded against is, for example,  a malware attack, the analysis should contain steps designed to minimize the likelihood and impact of the attack.   

Once you develop a HIPAA risk management plan, you should share and review the plan with the appropriate employees, so that they will know what is required on their part to successfully implement the plan. You should also periodically review your HIPAA risk management plan to prevent its becoming stale and not reflective of actual risks and costs.

HIPAA 2020 Resolution #3: Review Existing Business Associate Agreements

As 2020 begins, covered entities should resolve to review each of their vendor partnership arrangements. This process consists of ensuring that signed, properly worded business associate agreements are in place with each vendor or business associate whose job functions involve coming into contact with ePHI. Reviewing these agreements is not a “one and done” task. Since agreements contain different effective dates and end dates, the agreement should be regularly reviewed in the remaining months of 2020 to make sure the agreements remain in force. Review of agreements will alert you to when an agreement has expired, so that it can be renewed, if appropriate.