Show Notes

The following is a transcript of an interview.

Hey, it’s Dr. Kate Walker. Welcome to Step It Up Special Training. I’m super excited because I am going to talk to Vanessa Hillis. We will be doing a HIPAA risk assessment with Vanessa Hillis. They are a HIPAA Risk Assessor and I had been referring to them as a HIPAA auditor. So we are going to learn so much about HIPAA today and they’ve actually constructed their presentation just for it. It’s going to be geared toward counselors, mental health professionals, new professionals in the field. In fact, I asked them to please take out all the stuff that would pertain to hospitals and big organizations and things like that. Vanessa, thank you so much for coming.

What is HIPAA and what is its purpose?

I’m Vanessa Hillis, I work with They Them Consulting and my pronouns are they/them/theirs. I’m very excited to be here and thank you for this opportunity to share my knowledge with the world. That is one of my favorite things.Today’s presentation is about HIPAA risk assessment, the purpose and benefits. I’m going to do a little intro about who I am, what I’m going to talk about and then we’re going to go over a HIPAA overview and some details specific to mental health practitioners. Then, we’re going to get to the real fun stuff and talk about breaches, audits, and penalties. Lastly, we’ll jump into risk assessment and how you can improve your compliance and prevent these breaches, etcetera.

I work with a company called Cyber Compass. They Them Consulting is founded and owned by me. I am a trans, non-binary person and I’m based here in central Texas. I work with a team of trans and LGBT and allies and members of the community. We are a safe space for LGBTQIA clients and consultants, and not just LGBTQIA clients, but that’s our niche. We specialize specifically in small practices and non-profit organizations. These groups are often neglected by vendors. Since I’ve worked in non-profits. I understand how difficult it is to find someone who really gets the price point and gets the budget restrictions around what it means to be a small business. I run a small business, I get it. We offer hard skills like HIPAA consulting and operations, cyber security and project management. I have a team member who does marketing and web design, etcetera, etcetera.

What is a HIPAA assessment?

I partner with a local to central Texas web developer who created a tool called Cyber Compass. This Cyber Compass tool allows me to conduct these HIPAA risk assessments cheaper, faster, and easier for you guys than if I were just going off of my own internal knowledge. This tool is basically like Turbo Tax but for compliance. It’s automated, it has all of the HIPAA information in it, it can walk you through a self-assessment or you can use it with an assessor. Even though not the only tool like this out there, but it’s the only tool I use and that has me with it. It’s a great tool, it has a lot of great features.

What is HIPAA?

Let’s talk about HIPAA. It’s most people’s least favorite subject, it’s one of my favorite subjects. I love regulations, rules and compliance. And I love that what I do gives me the opportunity to get to know a bunch of different businesses, organizations, people and using the framework of HIPAA regulations. It helps me help you do better work and feel more confident about your cyber security position and your compliance position.

We’re going to the basics. HIPAA stands for The Health Insurance Portability and Accountability Act of 1996. It is a set of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge, as well as the preservation and accessibility of these records. This is administered at the federal level by the Office of Civil Rights. Which signals that this is ultimately in place as a focus on patients’ rights. This is here to protect patients, protect their information, make sure they have access to their information, and protect people. At local levels, it’s administered and enforced by Health and Human Services at the state level, which we will look at.

HIPAA has two main components: it’s the Security Rule and HITECH Act, which is what we’re talking about mostly today. That’s where it addresses technological concerns, ePHI and Electronic Health Records, and the Security Rule is where the assessment mandate comes in. Then there’s the HIPAA original, which was just the Privacy Rule and it focused on confidentiality disclosure. In 2006, they introduced the Security Rule, or that’s when it became effective, and it applies to electronic information – hey, the internet exists, we should update our rules! And so they did.

What are the 3 rules of HIPAA?

When looking at HIPAA, there are three main areas of concern. They want to know about your administrative and operational safeguards. That includes things like written policies and procedures, communicated policies and procedures. They want to know what you do, how you do it, and where people learn how to do what they’re doing. If it’s not in writing, it doesn’t count. They also focus a lot on technological requirements. This includes password strength, firewalls, cyber security and computer updates. 

Then the physical safeguards; You need to have locks on your doors, windows and some sort of security system. It also considers things like the physical positioning of monitors, the physical location of filing cabinets, where shredders are located, etcetera. When you go through a HIPAA Risk Assessment, a lot of questions start to feel really repetitive. It will ask basically the same thing about each of the safeguard areas. It will say, how do you lock this door? How do you lock your computer? Those are the three main safeguard areas, it’s a very expansive, wide-breadth of a regulation. 

Now, the cyber security element, which is the scariest part for people. The HIPAA cyber security rules and best practices are no different than general cyber security best practices. It all comes down to this general concept in cyber security that is known as the CIA triad. It stands for, C, for confidentiality, so you want to make sure access is limited to only approved parties. The I is integrity. Integrity in this one means that the information should be protected from unauthorized destruction or alteration, so you’re thinking of the integrity of the information itself. The information should say as it is. And then A is the availability. Records should be accessible when needed. 

What are some violations of HIPAA?

Part of HIPAA’s rules say that patients should have access to their records as requested and they should be able to transfer them to other care providers as requested. A doctor can’t hold patients’ files hostage rather than transferring their care to someone else, and that patients are allowed to see their own records. Those records have to be available. Sometimes availability and integrity can get a little conflated. If something is destroyed, it’s no longer available. But there are a lot of other ways things can become inaccessible and unavailable. The records may still be confidential but you don’t have access to them. Maybe they exist on a hard drive that lives in somebody’s house and that person doesn’t work for you anymore, or if they’re in a storage facility that you somehow lost access. There are a lot of ways you can lose access to these records. 

The Confidentiality, Integrity, and Availability is just a cybersecurity model and that, at the root, is what HIPAA is focused on.

How do you comply to HIPAA?

Let’s talk about the specific HIPAA rules around mental healthcare. Mental healthcare information is classified as especially sensitive medical information. This includes things such as domestic violence information, mental health, and substance abuse. This information poses an unusually high risk to the patient in the event of disclosure. If mental health information gets released about someone, they have the possibility of suffering discrimination, social stigma, and physical harm in the case of domestic violence information. HIPAA requires particular sensitive health information to be really, really protected. They really don’t want you to leak that or for it to get lost. As mental health providers, you will be held to a very high standard of security and protecting your patients’ files. We all care about these people and their records and their privacy. We all want to protect them. Let’s make it better. Let’s make it easier.

HIPAA classifies psychotherapy notes separately. A psychotherapy note per HIPAA, per the federal government, is a note recorded in any capacity, by any medium, by a mental health professional about the contents of a conversation during a counseling session. This is group counseling, family counseling, solo counseling, the notes you’re taking about that specific session. So this is distinguished from what would be considered the health record. Which is things such as medication history, appointment frequency, diagnoses, anything that would be reported to insurance for billing or would be transitionable to another treatment provider in the course of treatment. These psychotherapy notes, if kept separate from the health record, are treated special and they have special rules. If they’re kept with the health record, they just count as the health record. You have to be sure to keep those separate if you’d like to treat them as special.

Who needs to be HIPAA compliant?

The special rules around these psychotherapy notes mean that they’re basically double, extra protected. There are certain types of health information that you’re allowed to transfer to other care providers in the course of treatment. Potentially without even the patient’s explicit consent as a way of helping improve treatment. Then there are certain types of information that general disclosures will cover. Such as if the patient would like a partner or a family member to attend a session with them. But something that exists within those psychotherapy notes, to be shared with anyone, it has to have its own special, individual authorization form.

There are more stringent rules around making it explicit that the patient explicitly wants these psychotherapy notes shared in this capacity. We talked about that availability rule, that patients need to have access to their files. The medical file that you all have follows under that rule, but the psychotherapy notes have special exemptions to where you can, at your discretion, withhold these files from a patient if you feel they would be harmful to the patient or could cause harm to others if the patient sees them. There are a lot of nuances that are specific to the healthcare industry.

How can a therapist be HIPAA compliant?

Most of you all are sole practitioners, work in really small practices or possibly new to practice. HIPAA is extremely intimidating. It’s complicated and it’s scary because there’s all of these rules and penalties. People aren’t there to assess your compliance and auditors, but you still have to do it. Even sole practitioners are required to comply with HIPAA standards if they transmit payment or treatment information electronically. So you might be like, I don’t take insurance, I don’t have to do it! You still do – most likely. There’s a very small chance that you do not transmit things electronically, but if you don’t now, then you probably will in the future. As soon as you do, you are suddenly supposed to be compliant with HIPAA. If you aren’t currently a covered entity or required to comply with HIPAA, you should still follow the HIPAA guidelines.

Kate: “I want to mention here one of the things I teach folks is House Bill 300, which is a state law that mimics HIPAA in every way. And then we also have, explicitly in our licensure law, it mentions HIPAA standards. So anybody out there who thinks they’re going to slide through a “I’m not a covered loophole- “No.”

Vanessa: “Nope.”

Cyber Compass specifically measures HIPAA compliance and talks about HIPAA, so that’s why I distinguish that. There is the state level Texas Medical Privacy Act, which removes the caveat about treatment information and says anyone collecting PHI has to follow HIPPA. Most states have something like this, but no matter what, it’s in your best interest to comply with these rules. Not only to prevent yourself from getting penalized but also to protect your information and to protect your patients’ information. 

What is Hipaa compliance in counseling?

The good news is, even though you have to follow the HIPAA rules and be compliant with HIPAA, there is a lot of flexibility built into the regulation. This is because it’s one set of regulations that covers you and also that huge hospital down the street. It’s the same set of regulations. Health and Human Services doesn’t expect you to do the same things, spend the same amount of money or even a percentage of your budget on HIPAA compliance as it does for huge hospital systems. They use the term “reasonable and appropriate.” They expect you to scale your HIPAA compliance practices to what is reasonable and appropriate to your organization. There are several elements of HIPAA that have a lot of wiggle room, there are a few that are pretty specific. But there is a way to do it that is within your budget.

Breaches, audits, and penalties. It’s not fun. This is what we’re trying to avoid. First, what is a breach? A breach is an unauthorized use, access, or disclosure of this protected health information. It can be deliberate and malicious, or unintentional. If a breach occurs, it’s a big deal. Most people, when they think of a breach, they think of a data breach, they think of hackers. You’re more likely to experience a breach as a result of a larger software insecurity, from user error or accidental. There have been some recent popular stories about Microsoft Exchange servers getting compromised in 2021. Over the last couple of years, Microsoft has experienced several major cyber security flaws. Effectively that means a hacker isn’t just trying to hack you, they’ve hacked a larger system that you also use, like these HIPAA compliant softwares. 

What are examples of HIPAA violations?

That’s one of the reasons why it’s so important to pick a good, HIPAA compliant software for things such as data collection. A hacker will attack the whole software and then they don’t just have access to you, they have access to the thousands or millions of users of that software. You may think, I’m a little fish, no one is looking for me. They are, and they also can catch you from other things. Also, you may think I’m a little fish, no one is looking for me, but they might be because health records are very valuable on the black market. If a credit card number is only worth a dollar on the dark web, a medical record is worth thousands, or hundreds. I could be wrong, but a lot more than a dollar because there’s so much information in there.

HIPAA has a breach notification rule. It says once you’re aware of a breach of your information, or reasonably should have been aware, which means you can’t just not pay attention because you are obligated to know what’s going on with your systems and your data. Once you’re aware of these things, you have 60 days to notify all affected patients of the breach, notify health and human services, and notify local media. If more than 500 people have been affected, you have to notify local media. You also have to launch an investigation and conduct a new risk assessment right away in response to the known breach. It’s a really big deal when you have a data breach. There’s a lot that happens and you need to know this process. 

What are the four conditions to be considered a HIPAA breach?

A breach is the most likely thing to trigger an audit of your org. Audits are conducted by health and human services, or they can be called for by your state attorney’s general. Texas doesn’t have a very strong enforcement arm of the TMPA, so you’re more likely to get something triggered by HHS than by Texas, but that’s not better. It’s still an audit. You’ll be audited by health and human services. While your chances of being randomly selected are very low. But if you experience a breach and report a breach, which you should report breaches if they occur, your chances of being audited are almost 100%. You’re almost certainly going to be audited in response to your breach. 

What happens during an audit? Audits can be digital audits or they can be desk audits. They can come into your place in person or they can send you a letter and accompanying emails and they can request digital transfers of files. They’re going to want all of your written policies and procedures, and your past six years of HIPAA records, including past risk assessment documentation. They want everything. They’re going to look at all of that and based on that and based on the breach itself and based on the violations you have and the cause of the breach, they’re very, very likely to result in penalties for any violations they find. 

What are examples of HIPAA violations?

No one is 100% compliant. There’s no real way to be 100% safe and secure. It’s like with cyber security, a 100% safe computer is unplugged and doesn’t have a battery. You’re constantly engaging with risk as part of what we do, as part of this business, and as part of our lives. The goal is not really to be 100%. The goal is to be as secure as you can be and to constantly be considering and striving for compliance. You’re not going to have the same things in place that the big hospitals have. But you need to have record that you are aware of your risk and compliance position and working on it and in that constant process. You need to show that effort because these auditors have quite a lot of discretion in the way they classify these violations and the way they implement penalties.

So let’s talk about penalties and violations. The penalties for these violations – and again, violations could be deliberate or unintentional, it doesn’t really matter, they’re still violations. There could be monetary fines, which I have a whole slide about, employee-sanctioned, which means staff members could be fired or demoted, there can be civil charges and criminal charges, so depending on the violation and the cause and the type, it can be anywhere from a year in jail to ten years in jail, but that’s if you’re a criminal, so don’t be criminals. Even lower level, tier one violations, which you didn’t know the violation was happening and you had reasonable cause not to know, you could still face jail time for that because you still should know – it’s still your responsibility. This is your information, it’s your responsibility to protect your patients.

How do you know if you are a HIPAA breach?

Kate: “I know a lot of counselors are quaking right now. You’re going to talk to us about how this yearly annual audit, personal audit, self-audit, is one of the ways you show that you know and you’re aware, right?”

Vanessa: “Yes. This is my strategy, I scare you, and then I show you how to not be scared.”

Now let’s look at financial penalties, these are fun too. Even the bare minimum of a violation penalty is $120 per day of violation. That’s for the low-level ones, up to $1.8 million for these willful neglect violations. Small, sole practices are very unlikely to be fined at the highest level because you have so many fewer patients, but even the little one is still a lot. We don’t want $30,000 of penalties for something that we can easily avoid. But, again, the auditors have a lot of discretion in how they classify things and how they implement penalties. 

What happens if you break HIPAA?

Every breach and every audit does not result in a penalty. Every violation does not result in a penalty. There is room for the auditor’s discretion if you have the things in place that you should be doing, if you’re doing what you should be doing, because that’s what happens – you can’t control everything, right? If you’re doing what you should be doing and a breach happens anyway, you aren’t certain to be penalized. But you have to be able to show that you are doing what you’re supposed to be doing, that you’re really trying. You have to show the effort. You have to show that you’re working towards compliance, or that your heart is in the right place.

We just covered a lot of stuff, I wanted to pause in the middle to give myself a breathing break and also to see if there’s any questions about breaches, violations, penalties, or about HIPAA as a regulation on the whole, and bearing in mind that the next section we’re going to talk about is the risk assessment, requirement, process, what it looks like, what you’re supposed to get from it, and how to improve compliance, so let’s not ask question about that yet, but let’s talk about the other stuff.

Kate: “You’ve talked about two different kinds of information, PHI and sensitive information. So can you kind of clarify that for us?”

Is your PHI also covered by HIPAA?

PHI in general is just protected health information and it’s synonymous with EPHI, which just means electronic protected health information. So any medical information collected by a provider is PHI. Everything collected by counselors and mental healthcare professionals is sensitive. So everything you collect is especially sensitive and is held to a higher standard. So you all as counselors, as mental health providers, are held to a higher standard than the podiatrist down the street within the scope and scale of your work, within what is appropriate and reasonable. That information needs to be extra protected.

Kate: “I know you’ll probably cover this in a minute, BAA is – which types of software, the difference between using, I know we don’t have these anymore, phones with cords, what constitutes something that’s holding PHI versus something that’s not holding PHI? I think that’s where a lot of mental health small businesses – you’re going to probably cover all of that BAA stuff later.”

“That’s a really good question and I don’t have a section digging really deeply into BAAs. A BAA is a Business Associate Agreement. Let’s say you have an office and you have a cleaning company that comes in and they come into your space and they clean around the desks and the desks have PHI on them, so those people have access to PHI. That’s a simple example of a business associate. You need an agreement in place with that business associate ensuring that they are HIPAA compliant as well. You’re HIPAA compliant, your associates who have access to your PHI are also required to be HIPAA compliant.

Are therapists affected by HIPAA?

When it comes to small businesses, most of your vendor relationships are digital: Google G-Suites and Simple Practice and these different online tools, and there are online agreements in place. Most of them have a BAA that you can request, you just have to specifically request it from the settings. For these big Google and Microsoft companies, there’s really not anything we can do about the BAA they have in place. If there’s a breach as a result of one of these organizations, your organization is probably not going to be held accountable for that. 

If you’re working with a cleaning company, you are required to make sure that they really are HIPAA compliant as well. You have to have a BAA on file for that vendor and they have to be HIPAA compliant, and you’re supposed to ask every year, hey, are you still HIPAA compliant? 

The amount of effort you put into that ask and tell relationship is really contingent on how much access they have and how big your organization is. As part of your risk assessment, you should have an annual review of all of these BAAs to ensure that they are current and they haven’t expired. Some of these softwares, there are certain online tools you can use to check the HIPAA compliance of different electronic health record systems. Electronic health information systems especially have a special category, or they get special attention from HHS. Things like Google don’t have that even though you may be using a tool that isn’t a specific EHR to save data, so you won’t be able to check the HIPAA compliance of those tools. That’s all stuff that when you get into the assessment, the software or an assessor can help you with.

What happens if PHI is breached?

Kate: “What happens if PHI is breached? Is a HIPAA audit required?”

Vanessa: “An audit is not required, it’s something that randomly happens, or usually happens in response to a breach. But it’s triggered by someone else. You’re not asking for an audit.”

We’ve been talking about risk assessment this whole time . HIPAA requires every covered entity perform a risk assessment after every major change in the organization or at least annually. That means if in six months, you move to a new office space, that counts as a major change and you should do another risk assessment. The scale and scope of that risk assessment is going to vary greatly depending on the size of your organization and the size of the change. A formal change needs to take place and be documented that shows that you have evaluated your risks. Evaluating your risks and assessing them is really the only way to know what’s going on with your organization and what your vulnerabilities are and to strengthen them and to be a strong and secure organization. This is directly from the HIPAA regulation.

Let’s talk about what is risk. This is a somewhat complex concept when you really dig into it. It’s a function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. So risk is not a single factor or event, it’s rather a combination of factors or events, these threats and vulnerabilities, that if they occur, may have an impact on your organization. 

How do you become a HIPAA compliant therapist?

Vulnerabilities and threats. Vulnerability is a flaw or weakness in your system that is accidentally triggered or intentionally exploited and results in a security breach. A threat is the potential for a person or system to trigger one of these vulnerabilities. This probably didn’t clear anything up for anyone, so I’ve created a beautiful analogy.

Let’s understand risk in the example analogy related to dogs. In this analogy, the vulnerability is that your backyard gate is open. The threat is that your dog will go through the gate and leave your yard and run free in the world. The risk here is calculated by how much of an impact your dog escaping your yard would have. The impact of that on your day is going to depend greatly on the type of dog you have, whether he’s just going to go on his route and come back, or if he’s going to run straight into the road. It depends on the neighborhood you’re in and the municipality. It has a lot of external factors. Also do you have to drive back to get your dog? It’s very complicated. The ultimate risk is complicated by the exterior factors. 

During a risk assessment, if you or somebody goes through your organization and they identify these vulnerabilities; these open gates, and they identify these threats, these dogs waiting to run out, and they identify solutions we need to fix it. Or your system in place around closing the gate is not adequate; we need a better system to close the gate. Or, a malicious actor came and opened the gate, so we need to put a lock on the gate. There’s a lot of different ways to solve for different vulnerabilities.

What is a HIPAA risk assessment?

The purpose of an assessment is just to find all these risks to PHI or to EPHI, and to identify specific problems and to find specific solutions. And a reminder, this is mandated. Every covered entity is supposed to do some form of risk assessment every year – every single year. And you have to keep record of it because if you get audited, they’re going to look for those records.

What’s a risk assessment? How do we do it? It’s a vague concept. It’s pretty straightforward and there’s a lot of different ways you can do it. You can do what I consider a fully self-assessment. You’re working on your own, evaluating your own risk. The Health and Human Services website has resources available that are  free. You can do this by yourself if you want to.. If you’re small enough, if you don’t have a budget, if you have a lot of time, you can definitely do this on your own. It is doable and it is allowed. The negatives of self-assessment are obvious: it’s hard to be objective with your own org, you’re not an IT security expert and you’re not a HIPAA security expert. It’s sometimes the way they phrase certain questions, it’s confusing even for people who are experts. It can be complicated and that’s difficult. 

What is a HIPAA self assessment?

If you don’t have that time, if you don’t have the mental bandwidth to do that, you can do something that I call a supported self-assessment. That’s using a third-party software like Cyber Compass, the tool I work with, to assess your risk. There are several out there. I’m not only talking about mine although I’m biased because I use it and I like it a lot.

Let’s say you’re using a tool like Cyber Compass. You give the tool your organization’s information. It asks how many people work there and then it walks you through a step-by-step process. It asks you questions, you answer them, based on the way you answer, it gives you a quantitative score of your risk and it auto-generates a list of your specific risks prioritized by how high of a risk they are to your org with specific remediations. Then it gives you that list of what to fix and in what order. It also gives you a generated report which shows a snapshot in time of your risk compliance position, which is something you keep on file to give to an auditor if you are audited. 

How do you perform a HIPAA risk assessment?

Then you can use the tool as a project management tool, with Cyber Compass it’s a one year license. You have access to the tool to use it as a practice management tool to track those remediations. It is also super helpful if you get audited because your progress is the biggest thing. If you start out with a score of 20% and you get to a score of 40%, that’s a huge deal. The improvement and being able to track your improvement is super helpful.

Cyber Compass also has a training module so you can handle your staff training right in there and track your staff training. And they usually, and Cyber Compass does, generate policies and procedures for you. The documentation part for policies and procedures is taken care of immediately by using these tools, so that’s super helpful. These are very approachable price points depending on your org. Usually something like this could cost less than $2,000. This is March 2022. I know $2,000 is a lot for a small business, but it’s not $10,000. 

Kate: “If you are a big practice owner, and I’m talking if you employ three people, if you have three therapists, you can afford this. You can’t afford not to do this.”

Vanessa: “If you have staff at all, you should not be doing a self-assessment because it’s complicated, it’s difficult. So if you have staff, there’s a lot more going on there and there’s a lot more at stake than doing it alone can do. So something like the supported self-assessment, you’re working alone, but you still have access to the software resources and you’d have access to me as a technical guide. I help people with these as well, I’m just not as involved with them, it’s a self-assessment still.”

What tools are used for risk assessments?

The third type of assessment is a managed assessment. Now this is if you are a larger organization,  if you’ve experienced a recent breach, or if you just want extra support, if you just want someone there to hold your hand through it. To my knowledge, Cyber Compass is the only local HIPAA security compliant software that has in-person people. So you can get supported self-assessment, but you can’t get someone to come to your office and look underneath the keyboards to see who’s hiding passwords.

The managed assessment, you get an assessor who can think about your unique organization and guide you through things. If you’re a really small org, sometimes groups will do a managed assessment the first year. Then they’ll do self-assessments following because they can kind of handle it more themselves after handling the process. The most important thing is doing an annual assessment, keeping record of it, and having those records on hand as needed.

There are general phases that happen with any risk assessment process. We gather information about your organization, all of your current policies, we investigate things, and we interview staff and inspect facilities – that’s the fun part. Then there’s the analysis phase where the assessor or the tool crunches all of the numbers and decides, this is what the highest risk is, this is what your compliance assessment score is, etcetera. And then the results delivery phase, which is where the report gets written/generated, which is a snapshot in time of your current position, and then where general recommendations are made about how to improve your situation and then to prioritize remediation, so that risk register gets generated during that results delivery phase. You take that and remediate risk and improve compliance and strengthen your safety and security.

How do you prove you are HIPAA compliant?

 Now we’re at the real, real fun part: improving your compliance. I’m going to go over a few basics here. I also have a downloadable document about simple ways to improve your cyber security for small businesses like us. You just go to my website, you can download that there. There will also be a link in the description of this event to that.

The first thing you’re going to do to improve your compliance is do a risk assessment, create a risk management plan, start remediating risks. So if you do this risk assessment, the only way for it to really help your org is if you use it to improve your situation. This remediation process, this compliance process is an ongoing process of identifying specific risks or risk behaviors, implementing solutions, and monitoring and evaluating the effectiveness of those solutions. So the ultimate goal is to make yourself stronger. You’re never done. It’s a process. 

How do you conduct a privacy risk assessment?

In my experience as a risk assessor, I’ve come across several common HIPAA violations that are pretty pervasive across all scales of organizations. The first is a lack of annual staff training, not documenting annual staff training or the staff training is not super great. 

Next, is not having full written, documented policies and procedures. If it’s not in writing, it doesn’t count. A lot of clients don’t do regular risk assessments. You can’t have a risk management plan unless you’ve been doing risk assessments. Also, having documentation of your known deficiencies, HHS and HIPAA auditors, it’s not super relevant if you are unaware of something you should have been aware of. Ignorance is not bliss; it’s not an excuse. If there’s something you should have known if you had been doing your due diligence, that’s what counts. Some people are afraid to conduct assessments because they think, if I know about it, I have to do something. That’s not accurate – even if you don’t know, you’re supposed to know, because it’s your responsibility to know.

Then the last thing that is a common violation in HIPAA is the rule of least necessary access. So in general, HIPAA has a rule. When sharing PHI, you should share the least necessary, lowest necessary amount of information. If you only need to share the name, you just share the name. Internally, a lot of organizations who have more than one staff member don’t have any distinction between different people. This includes who gets access to what, and not everyone needs access to everything. There’s no org where everyone needs access to every piece of PHI or every element of PHI. Having some sort of distinction in place is very important.

What are some examples of HIPAA violations?

There are some common risky behaviors that I see that can lead to breaches. Often, if you’re using insurance portals to process PHI payments, you’ll have a shared log-in that everyone uses. Maybe you can’t afford two copies of this license for this software so you share the username and log-in info with a coworker. That's risky behavior. Using simple, repeated, or shared passwords. Lack of awareness of common risks like phishing, there’s a lot of simple things that you just have to constantly have to. You always have to be afraid. If you’re not a little bit afraid of your security position, then you’re not paying attention. There’s no one who is 100% secure. You should be aware of the need for confidentiality, aware of the need for security in all computer-related things.

Another risky behavior is not keeping record of your current Business Associate Agreements. Specifically not checking to make sure they actually are compliant EEAs. For big things like Google and Microsoft, those are probably going to be good. The one you have with your cleaning company, who I assume is a small business just like us, you’re going to need to look at it a little more closely. 

The last one is a physical security risk of building access not being properly controlled or tracked. Anytime a visitor comes into your space, you need to be tracking it via a visitor log. There needs to be documentation of who is coming and going. If somebody leaves the practice, then the keys need to be changed. Specifics around that that are often overlooked. Such as operational processes around onboarding and offboarding that are easy to overlook.

What does it mean to be in compliance with HIPAA?

I like to end with reminding people about the compliance mindset. All successful, compliant organizations really make compliance part of their company culture. It’s not just the taxes you do once a year, which is how I do my taxes, I don’t think about them the rest of the time, I just do them and move on. It’s a part of your daily operations, it’s a part of the way you think about things. Is this compliant, safe and secure? It’s not an endpoint. You’re constantly working on it; you’re constantly doing it – it’s a part of what you’re doing. I strive to have a compliance mindset; I encourage you all to have a compliance mindset. 

You can go to my website for a downloadable three-phase plan for building blocks for your cyber security situation. It covers things like ways to improve password strength. Also It helps encourage solutions to a lot of those risky behaviors I called out. It can hopefully just help you improve your security position but also help you improve your confidence around your security and your compliance position. You want to be a little afraid, but you don’t want to be terrified. It's important have a healthy respect for it, like you do for snakes or something, or spiders. Keep your distance but don't be terrified.