For healthcare providers who’ve been putting off doing a risk assessment and developing a mitigation plan, Mary Barra, the CEO of General Motors, could make a compelling case against that kind of procrastination. If ten years earlier GM had identified the ignition switch in last year’s headlines as a potentially deadly defect and taken steps then to fix it, it could have saved at least 13 lives, prevented the company from having to pay $35 million in government fines and untold millions more from civil lawsuits, made the recall of 2.6 million vehicles unnecessary, and spared the CEO from having to make all those public apologies.
Every industry has risks to deal with. Healthcare is no different. A few of my previous posts have talked about the importance to a healthcare practice of identifying potential risks to Protected Health Information (PHI). Those risks can be grouped as natural (floods, earthquakes, etc.), environmental (power failures, burst pipes, chemicals), unintentional (someone accidentally hits “Delete” or makes a mistake entering data), and human (cyber attacks, malicious software uploads, and unauthorized access). In those blogs I’ve focused mainly on human threats to electronic Protected Health Information, but a full risk assessment t takes everything into account.
OK. So, you and/or your Security Officer/Privacy Officer have sat down to identify risks your practice’s PHI could face. You’ve determined the likelihood (high/medium/low) of each risk and in each instance, analyzed the potential impact (high/medium/low) it could have on your patients’ information and your practice.
You’ve been careful to put all of this in writing, knowing that documenting your risk assessment is a key requirement for HIPAA compliance. This risk assessment will be your guide in deciding which risks to address first, second, and so on.
Next step: a mitigation plan
It’s not enough to simply identify problem and potential-problem areas. HIPAA compliance also requires that you have plans in place detailing steps you’re taking or will take to address the risks you’ve identified.
When it comes to mitigating a risk, there may be multiple options with differing costs and levels of impact. Your plans will need to describe how each mitigating action will be completed, the resources — human or material — required to do the job, and the estimated date when it will be done. Not all risks can be 100% mitigated. Lawmakers understand this. HIPAA compliance requires that you do what is “reasonable and appropriate.”
In these blogs I always try to make abstract ideas concrete, to turn the legalese of HIPAA compliance into a practical “how-to.” So in that spirit, here’s an example of what a section of a mitigation plan might look like and include:
The office sits on the San Andreas Fault. In the event of a major quake, our computers could be destroyed and PHI lost.
At the end of this month we will begin implementing a cloud storage solution for ePHI with Clouds ‘R Us.
The fax machine is in an unlocked room anyone can access.
We have contracted with a locksmith to install a deadbolt tomorrow, and have designated our office manager, Dolores Deutsch, in charge of the key.
We are still using Windows XP, the operating system MicroSoft no longer supports.
Within 30 days we will transition to the latest version of Windows on all our office computers.
HIPAA compliance is a process
You risk assessment and mitigation plan both need to be regularly reviewed and continually updated. Neither is a one-shot deal. When they’re done right and routinely, HIPAA compliance can come to mean, “never having to say you’re sorry.”