What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis? Many organizations use these interchangeably, however, they are not correct in doing so. Don’t make the same mistake. We can help you understand the difference.
Office of Civil Rights Requirements
The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis. As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI. This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI
Understanding a HIPAA Gap Analysis
The HIPAA Rule does not require a HIPAA Gap Analysis. The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA. As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.
Gap Analysis Insufficient for HIPAA Rule
A Gap Analysis does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits. Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified by 45 C.F.R. §164.308(a)(ii)(A). It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.
Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis. Assure that the vendor you engage is qualified to perform the specific type of analysis that you need.
New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th. HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.
Pending further rule making HHS will now apply different cumulative annual CMP limits. This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice. It is important to understand the new HIPAA Penalties from HHS.
Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties. In mostcases the amount of penalty will be significantly less than what we have experienced in the past.
For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.
For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.
Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.
Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.
This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.
To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.
Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information. To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards. They help prevent unauthorized uses or disclosures of PHI. In addition safeguards must be part of every privacy compliance plan. Organizations must share this with all members of the organization.
Safeguards for Verbal PHI
Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally you may ask the persons to leave the room providing the patient an opportunity to object.
In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person. Providers must dispose of all paper products that have PHI in a shredder once no longer used. Personnel must make every effort to give the patients summary to the correct patient. When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.
Password protect all computers in order to protect electronic PHI. Employees must only use the computer medical accounts to which they are assigned. One must consider the use of encryption of any email or texts that contains ePHI.
Use of Reasonable Safeguards for PHI Prevent Violations
In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.
Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists .
When to Respond
The HIPAA Rule permits disclosures when required by law. This may be necessary to respond to subpoena’s and court orders with specific requirements. In addition this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety. State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.
Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what are the permissible disclosures to law enforcement.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic and HIPAA training for you and your company. Follow us on Facebook and Twitter.