QUESTION: Our company sponsors a small insured health plan. We’ve heard that all health plans must do a risk analysis to comply with the HIPAA security rule. Is that true and, if so, just what is a risk analysis?
ANSWER: Yes, the HIPAA security rule requires a risk analysis, and there are no special rules that would exempt your plan from this requirement based on its size. Although the security rule does not apply to a health plan that has fewer than 50 participants and is self-administered by the employer that established and maintains the plan, this exception would not apply to your insured plan.
The HIPAA security rule describes a risk analysis as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In this context, a “vulnerability” is a flaw or weakness in a security system that could be exploited (intentionally or accidentally) to breach security. “Risk” is determined by assessing both the likelihood that a particular vulnerability will be exploited and the extent of the resulting impact on the health plan.
In performing the risk analysis, it is important to remember that the HIPAA security rule applies only to electronic protected health information (PHI). Employers with insured plans may limit their compliance obligations by minimizing the amount of electronic PHI they create, receive, maintain, or transmit (e.g., by structuring their plan so that all individually identifiable information, such as claims data, is maintained exclusively by the insurer). Also, enrollment information created by the plan sponsor (e.g., when it administers open enrollment) does not constitute PHI since that information is not collected on behalf of the plan. Thus, the risk analysis for a small insured plan like yours can be much simpler than that for a large, self-insured plan where the sponsor performs administrative functions.
As the first step of your analysis, identify all hardware, software, facilities, workstations, and information systems used in storing, receiving, maintaining, or transmitting electronic PHI. You may be surprised at the amount of electronic PHI you have. Next, identify and assess security measures currently in place to protect the electronic PHI, noting specific vulnerabilities and risks. Finally, determine what, if any, additional security measures are needed to respond to the identified vulnerabilities and risks.
It’s particularly important to document completely each step of the risk analysis, including how the health plan reached its conclusions regarding vulnerabilities, risk assessment, and security measures. The security rule does not require perfect security, but in the event of a security breach, a health plan must be able to explain why its security measures were appropriate. Finally, keep in mind that good security is a process, not an event, so health plans should implement ongoing security assessment procedures and be prepared to revise security policies and tools as necessary to respond to changing conditions.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIII.F (“Applying the HIPAA Privacy and Security Rules to Group Health Plans and Their Sponsors”), XXIX.B (“What Information Is Protected and What Entities Must Comply?”) and XXX.B.1 (“Standard: Security Management Process”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 1/17/18).
Contributing Editors: EBIA Staff.