Gastroenterology Coding Alert

Patient Privacy:

Solid Risk Analyses Can Protect Your Practice from Fines, Accusations

Find out how to avoid this gastroenterologist’s fate by understanding the steps you must take.

Has your gastroenterology practice ever performed a risk analysis? If not, you could be flushing a six-figure check down the drain. That’s how much money one GI physician had to pay to the Office of Civil Rights (OCR) after the government determined he didn’t implement adequate security measures.

Background: On March 3, the Department of Health and Human Service (HHS) announced that a Utah gastroenterologist had agreed to pay $100,000 to settle a potential violation of the HIPAA rule. The practice had filed a breach report with the OCR following a dispute with a business associate, but during an investigation, the OCR found that the practice had never performed a risk analysis following the breach, nor did the gastroen­terologist implement security measures that would allow him to reduce his future risks and vulnerabilities.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino in a news release about the settlement. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” he said.

Here’s How to Avoid That Physician’s Fate

Risk analysis “is one of four required implementation specifications” in the Security Rule, HHS says. Practices are required to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

Although the HIPAA Security Rule does not specifically mandate how you must perform the risk analysis, both CMS and OCR offer the following steps as a template to develop your own process.

1. Identify the scope: Your risk analysis should encompass all the potential risks and vulnerabilities to all the protected health information (PHI) that your practice creates, receives, maintains, or transmits. This includes all PHI and electronic PHI (ePHI) in all forms of media, which can include paper documents, CDs, hard drives, mobile devices, transmission media, electronic storage media, and much more.

2. Gather data: Begin compiling data on where you store, receive, maintain, or transmit PHI. You may need to look at more than a single department — check out any data exchanges between vendors and business associates, as well as any PHI in different physical locations or electronic media. Also, you must document how, when, and what data-gathering activities you performed.

3. Identify and document potential threats and vulner­abilities: You’re not looking for any and all conceivable threats, but instead you should identify and document all “reasonably anticipated” threats. Examine threats based on these categories:

  • Natural — Floods, earthquakes, tornadoes, landslides
  • Human — Intentional or unintentional actions (e.g., unauthorized access to ePHI network and computer-based attacks, malicious software upload, inadvertent data entry or detection, inaccurate data entry)
  • Environmental — Power failures, pollution, chemicals, liquid leakage

4. Assess current security measures: Compare your existing security measures with the potential threats and vulnerabilities you’ve identified. Evaluate all your security measures (technical and non-technical), such as your access controls, authentication, encryption methods, automatic logoff, and audit controls, as well as your policies, procedures, guidelines, accountability, and responsibility, and physical and environmental security measures.

5. Determine the likelihood of threat occurrence: Weigh the probability that a threat will trigger or exploit a particular vulnerability, and then estimate the potential impact on your organization. Categorize each specific threat as “high likelihood,” “medium likelihood,” or “low likelihood.” Use your determinations to create a list prioritizing your risk mitigation efforts.

6. Determine the potential impact of threat occurrence: Estimate the possible threat’s potential outcome or impact. This may include unauthorized access to or disclosure of ePHI; permanent loss or corruption of ePHI; temporary loss or unavailability of ePHI; loss of physical assets; or loss of cash flow. Similar to ranking likelihood, organize the potential impacts as “low,” “medium,” and “high.”

7. Determine the level of risk: Cross-reference the likelihood rankings with the potential impacts to determine your risk level for each identified threat. Risk ranking helps you to prioritize mitigation activities — meaning, what you should fix first. Look at any potential threats that rank “high” on both the likelihood and impact scales.

8. Identify security measures and finalize documen­tation: Beginning with the highest-risk items, identify the security measures necessary to manage the risk. When evaluating appropriate security measures, consider their:

  • Effectiveness;
  • Related legislative or regulatory requirements for implementation; and
  • Relation to your own organization’s policies and procedures.

Although the HIPAA Security Rule requires that you document the risk analysis, it doesn’t provide or require a specific format.

Try this: You can create a risk analysis report to document your process, the output of each step and your initial identification of security measures, CMS suggests. “The risk analysis needs to clearly relate to your own practice, and a small practice with limited use of electronic PHI would look much simpler relative to a large multisite medical group,” said Glenn D. Littenberg, MD, MACP, FASGE, AGAF, a gastroenterologist and former CPT® Editorial Panel member in Pasadena, California.

“Much of this burden shifts to entities that host data on their clouds, but the practice still has to look at how it uses PHI in any electronic form and that there are security rules and processes, such as what to do in case of breach,” Littenberg said.

Resource: To read an analysis of this gastroenterolo­gist’s case from the OCR, visit www.hhs.gov/about/news/2020/03/03/health-care-provider-pays-100000-settlement-ocr-failing-implement-hipaa.html.