The Department of Health and Human Services (HHS), the State Attorneys General (State AGs), and the Federal Trade Commission (FTC), as well as plaintiffs’ attorneys, are more concerned than ever regarding data breaches, particularly due to cyberattacks. In 2019, HHS, the State AGs, and the FTC all settled cases related to data security. Notably, in 2018, HHS announced the largest settlement to date for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) in what it described as “the largest U.S. health data breach in history.” On October 15, 2018, the Office for Civil Rights (OCR), the agency within the Department of Health and Human Services responsible for civil enforcement of HIPAA, announced that Anthem, Inc., had agreed to pay OCR $16 million to settle potential HIPAA violations “after a series of cyberattacks exposed the electronic protected health information [ePHI] of almost 79 million people.” In addition to the breach of ePHI, OCR also highlighted Anthem’s failure to conduct an enterprise-wide risk analysis.
When HIPAA covered entities and business associates try to decide how to invest their limited compliance resources on data security, they often ask: What is the most often-cited potential violation of the HIPAA Rules? Importantly, the answer is risk analysis. This is an exercise that’s often referred to as a “risk assessment” in other sectors of the U.S. economy. While the Anthem breach and settlement were the largest to date, failure to conduct an enterprise-wide risk analysis is a potential violation that is present in more than 80% of the HIPAA Security Rule cases in which OCR enters into settlement agreement or issues a civil money penalty. It’s critical that HIPAA covered entities and their business associates understand the HIPAA Security Rule’s requirement regarding risk analysis, and how to invest in the best possible risk analysis, not only to protect against legal risks but also to be good data stewards and ensure the reasonable and appropriate security safeguards for sensitive personal information.
The HIPAA Security Rule requires, as a foundational administrative safeguard for ePHI, that HIPAA covered entities and their business associates (as defined by the HIPAA Rules) undertake a comprehensive and enterprise-wide analysis of the risks, including threats and vulnerabilities, to all of the ePHI they hold. The requirement is essential for purposes of identifying all of an entity’s ePHI and the risks to it, including those associated with any cyber security threats or vulnerabilities that could be exploited by cyber security threat vectors or attackers.
What Does the Law Require?
This requirement is fairly straightforward; that is, HIPAA covered entities and their business associates must identify:
- the ePHI they hold, including through data inventories, mappings, and flows;
- the threats to and vulnerabilities of the ePHI, given the people, entities, and assets that create, access, maintain, and transmit such ePHI, including systems, applications, devices, workforce members, and partners; and
- the likelihood that such threats or vulnerabilities could be exploited, which is the risk to such ePHI.
Essentially, this means that HIPAA covered entities and their business associates should understand where their ePHI is throughout its lifecycle (creation to maintenance to destruction) and what the risks (including cyber security threats or vulnerabilities that could be exploited by cyber threat vectors or attackers) to it are given where it is created, accessed, maintained, and transmitted until it is destroyed.
If a HIPAA covered entity or business associate does not identify all the places where ePHI “lives,” and the risks to such ePHI in those places, then it cannot sufficiently protect the ePHI against threats or exploitation of vulnerabilities, which will very likely result in a breach.
A Gap Analysis Does Not Suffice!
HIPAA covered entities and their business associates often have misunderstood this requirement to be an audit or gap analysis, and instead of analyzing the risk to the ePHI, they assess the gaps in their enterprise policies, procedures, and practices against the requirements of the HIPAA Security Rule or another cyber security framework, such as the NIST Cyber Security Framework. Such a gap analysis or audit is also a helpful exercise, and required by the Evaluation requirement of the HIPAA Security Rule at 45 C.F.R. § 164.308(a)(8), but it is not a risk analysis.
OCR’s April 2018 Cyber Security Newsletter focused specifically on this issue, and highlighted the differences between what OCR considers a comprehensive, enterprise-wide risk analysis versus a gap analysis for purposes of compliance with the HIPAA Security Rule. OCR notes that, in brief, a “risk analysis is a comprehensive evaluation of [a covered entity or business associate’s] enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI.” In contrast, a “gap analysis is typically a narrowed examination…to assess whether certain controls or safeguards required by the Security Rule are implemented.”
The April 2018 Cyber Security Newsletter then goes on to outline the elements of a risk analysis, particularly as explained further in NIST Special Publication 800-30:
- a comprehensive scope;
- identification of all locations and systems where ePHI is “created, received, maintained, or transmitted;”
- identification of threats and vulnerabilities (both technical and non-technical);
- assessment of current security measures;
- determination of likelihood and impact; determination of the resulting level of risk;
- documentation of all elements; and
- revisions and updates.
Finally, the April 2018 Cyber Security Newsletter provides an example of a typical gap analysis, which would not comply with the requirements of the HIPAA Security Rule with regard to a risk analysis; the example table included starts with a column on the left that includes specific requirements of and citations to the HIPAA Security Rule, then moves across the page to the right to include a description of specific requirement and assessments of whether a particular entity has fully implemented the requirement cited. Again, while such an exercise is helpful for an entity to determine whether it has, in fact, implemented the requirements of the HIPAA Security Rule, or another law or framework, such an audit or analysis does not accurately reflect the risks to the ePHI in the entity’s enterprise, particularly given that there is no assessment of such risk anywhere in the audit or analysis.
As such, it’s important for HIPAA covered entities and business associates to ask the right questions of either their internal staff or their vendors (business associates or subcontractor business associates, respectively) to get a good risk analysis, and those questions should include:
- How will we ensure that we understand where all of our ePHI “lives”; in other words, how will we track all of our ePHI from creation to maintenance to destruction, including with our vendors?
- How will we develop asset inventories, system mappings, and data flows to reflect our ePHI lifecycle?
- What types of threats and vulnerabilities (both technical and non-technical) will we consider as part of the risk analysis?
- How will we assess our current security measures, so that we can understand what risks remain to the ePHI?
- How will we determine likelihood and impact, particularly given our current security measures, and determine the resulting level of risk?
- What will our documentation of the risks look like?
- How will we take this information and use it to develop our risk management plan?
Regulators Will Continue to Assess These Violations
On December 30, 2019, OCR announced its final settlement of 2019, with West Georgia Ambulance, Inc. for “Longstanding HIPAA Noncompliance.” The first potential violation cited in this resolution agreement is, you guessed it, risk analysis. OCR will look at this issue in all security-related cases, whether those investigations are instigated by complaints, news reports, breach reports affecting a large number of individuals, or breach reports affecting fewer individuals.
HIPAA covered entities and business associates must prioritize risk analysis, not only because it’s good data governance and the first, and arguably most important, step to good cybersecurity, but also because it’s the largest legal risk for their organizations. And the bottom line is that if a HIPAA covered entity or business associate has undertaken a gap analysis, rather than a HIPAA-compliant risk analysis, while it may have correctly implemented some of the requirements of the HIPAA Security Rule, or correctly addressed the recommendations of another tool or framework, it still may have missed some of the ePHI in its enterprise, and, correspondingly, the risks to that ePHI, which is left unprotected and exploitable by cyber threats and attackers. As such, not only is that ePHI still at risk, HIPAA covered entities and business associates are subject to possible fines, and patients and beneficiaries are vulnerable. So, HIPAA covered entities and business associates should make sure they understand what is necessary for a HIPAA-compliant risk analysis, and should ask the right questions to make sure they get a risk analysis and not a gap analysis.
Iliana Peters is a shareholder at Polsinelli PC. Her practice focuses on helping clients develop and implement good data privacy and security practices to avoid risk, and helping clients prepare for and recover from emerging cyber threats. Before joining Polsinelli, she was Acting Deputy Director for HIPAA and health information privacy and security at HHS. For over a decade she both developed health information privacy and security policy, including on emerging technologies and cyber threats for HHS, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA. As a CISSP, Iliana works hard to bridge the gap between legal requirements for the security of health data and security industry best practices, so that clients can better understand data security issues and jargon. Iliana notes that she is providing this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. The choice of a lawyer is an important decision and should not be based solely upon advertisements.
 See 45 C.F.R. § 164.308(a)(1)(ii)(A).