CastleHill Managed Risk Solutions Blog

Evaluating Governance, Risk, and Compliance (GRC) for Protected Health Information

Posted by Michael Duggan on May 2, 2017 11:44:52 AM

How Do Your Risk & Compliance Programs Stack Up?Do you know where your healthcare organization stands when it comes to evaluating and managing your Governance, Risk, and Compliance (GRC) for Protected Health Information (PHI)?

Last year, the University of Mississippi Medical Center (UMMC) agreed to a $2.75MM HIPAA settlement after numerous reports of HIPAA violations that led to a major healthcare data breach affecting the electronic PHI (ePHI) of nearly 80,000 individuals including active and past patients. The violations themselves were not the major finding, but rather the determination that UMMC failed to take adequate risk management measures, even after it was anecdotally aware of the risks and vulnerabilities to its system.

Additionally, last year’s Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA audits demonstrated the seriousness of robust HIPAA risk management practices. In addition to the weaknesses in the healthcare organizations’ own ePHI practices, OCR found that vendors, third-party management, and even integrated medical devices and mobile applications carried significant risk for patient health information compromise.

According to Jennifer Rathburn, an attorney with the international corporate law firm of Quarles and Brady in this Health IT Security article, “It should be no surprise to any covered entity that they’re also focusing in on whether a covered entity has completed a risk analysis and whether they have really taken the results of that and integrated it into their risk management process. Many of the most recent enforcement actions the OCR has taken have been related to a not completed risk analysis or not properly incorporating vulnerabilities and risks into the risk management process.”

Cited in the same article, Foley & Lardner information security lawyer, Mike Overly, added, “If a healthcare provider has not themselves in the last 12 months conducted a risk assessment, has not themselves in the last 12 months conducted an inventory of their information assets, have not themselves in the last 12 months looked at and updated their policies and procedures relating to information security and privacy breach notification response, then they’re going to have a problem no question about it.”

Examining your internal GRC processes when it comes to ePHI is not enough. Providers are finding their vulnerabilities extend to third-party vendors, interconnected medical devices, services, or even mobile applications. In fact, according to Health Security in this article, the first five OCR HIPAA settlements in 2017 (including one for 5.5MM), are directly related to the lack of regular risk analyses and issue-responsive risk management plans and strong safeguards.  Clearly, a one-time, or even a static risk assessment schedule is not enough in today’s dynamic healthcare climate when every new innovation or workflow can represent a fresh ePHI security threat. Organizations need to show they are intelligently addressing their current and emerging risk management needs. Further, additional HIPAA audits are coming with the next round focusing on the vulnerable area of business associates and their HIPAA compliance. Given that many of these associates are not themselves in the healthcare industry, there is increased risk for non-compliance or a marked disparity in practices by the healthcare organization and the vendor.

So how do you determine your GRC capability when it comes to ePHI?  Start with an overview of major business functions – auditing, compliance, vendor management, controls, and other policies and procedures. From there, drill down to key risk factors – risk reduction, agility, effectiveness, and overall efficiency and cost control.  Some key questions to ask:

  • Are our HIPAA ePHI practices known, understood, and owned by all employees and partners?
  • Is ownership of our ePHI risk management program transparent?
  • Have we linked ePHI risk management to all internal and external risk areas?
  • Does leadership have the information access to responsively and effectively respond to emerging ePHI threats?
  • Do we have a tracking mechanism to quickly identify impacts to ePHI (regulations, processes, partners, equipment, migration, etc.) and quickly make needed process adjustments?

Want to know more? As experts in healthcare GRC, we would be happy to share our knowledge and expertise. Simply complete our short GRC Capability Survey and our risk management analysts will use your answers to prepare a customized overview of your program’s capability and your strength and opportunity areas. To access the survey, click here.

How Do Your Risk & Compliance Programs Stack Up?

Topics: GRC, healthcare