Within the healthcare industry, the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), might be the federal legislation that first comes to mind when speaking of regulation. Thankfully, while published guidance from the U.S. Department of Health and Human Services (HHS) aren’t always perfectly clear, they do lay a helpful foundation for covered entities as to government expectations.
Risk analysis as a requirement is codified at 45 C.F.R. § 164.308. The latest guidance works through that portion of the federal code and specifies elements of risk analysis that should be considered: scope (all ePHI regardless of medium, source, and manner of creation, reception, or transmission), methods of data collection and retention, identification and documentation of threats and vulnerabilities, etc. It is worth noting that the Office for Civil Rights (OCR), who vets HIPAA and HITECH compliance, consolidates risk analysis and assessment within said guidance.
While the OCR provides few clear-cut parameters, it does suggest several sets of framework with which to guide risk analysis. The Security Series available through the HHS website better delineates the tools and methodology available for risk management in its entirety, and the government agency itself utilizes the National Institute of Standards and Technology (NIST). NIST even offers a HIPAA Security Rule Toolkit to aid in compliance measures.
MACRA & MIPS
The Center for Medicare and Medicaid Services (CMS), applies the Medicare Access and CHIP Reauthorization Act (MACRA) and Merit-based Incentive Payment System (MIPS) risk analysis criteria in conjunction with HIPAA, since many healthcare providers and organizations accept Medicare and Medicaid. Similar to its sister agency under HHS, CMS utilizes many of the same government-provided guidance and resources regarding risk analysis as the OCR. This allows those tasked with risk management to double-dip into the aforementioned, to cover both CMS and OCR requirements.
The guidance provided by CMS largely reiterates those published by OCR; many, if not most, cite directly back to the latter agency. A discrepancy worth noting is that CMS provides quick bullet points to cover information of use in conducting risk analysis in their official guidance on the topic. Myths are also discussed to spare healthcare organizations wasted time and energy, including helpful hints such as: risk analysis is mandatory even for small providers, organizations don’t have to outsource risk analysis, and there is no specific risk analysis procedure that must be followed, etc.
The Joint Commission
Specializing in accreditation for a plethora of healthcare-related organizations–such as ambulatory healthcare, imaging centers, and urgent care, The Joint Commission certifies entities to reflect care and commitment in meeting performance standards. Accreditation can lower liability insurance rates and instill public goodwill, as well as help safeguard patient information and adhere to government regulation by means of the accreditation regimen. Therefore, rubrics for risk analysis from such non-profits as The Joint Commission can help address information safeguards across the board.
In keeping with the previously mentioned federal agencies, The Joint Commission makes no specific designation of how a risk analysis should be completed. The Leadership chapter of the organization’s Manual does, however, provide examples of a risk assessment model. And yet, unlike the direction provided by HHS, these manuals (specific to each type of healthcare-related entity) require payment to access. Therefore, although the information within might be valuable, it is difficult to use as a resource unless appropriately budgeted for.