As OCR promises more fines, two CIOs offer tips on risk assessments

Leon Rodriguez

Enforcement now a "fact of life," says Rodriguez

"I don't do risk assessments; I assess risk," said Sharon Finney, corporate data security officer at Adventist Health System, speaking Thursday at the Healthcare IT News/HIMSS Media Privacy & Security Forum in Boston.

There's a difference. One happens on a daily basis. The other might happen a time or two each each year. A risk assessment, said Finney, sounds like something that "has a beginning and an end, and it doesn't."

Added Ed Ricks, president of information services and CIO at South Carolina's Beaufort Memorial Hospital: "If it does have an end, it's the day you get fired because you're not paying attention."

Security risk assessments are a fundamental part of keeping compliant with HIPAA and HITECH regulations – not to mention meeting Stage 1 meaningful use – but they have been problematic for many providers.

"If you look at the numbers, you see they're pretty low," HIMSS Senior Director of Privacy and Security Lisa Gallagher told Healthcare IT News earlier this year. "We have organizations trying to meet meaningful use Stage 1, and they're calling me and saying, 'We can meet all of the requirements of Stage 1, except the risk analysis requirement.'"

Sometimes a lack of resources is the problem. Often, it's a lack of clarity: Providers – whether their hospitals or physician practices – don't know know just what to do, what will bring them into compliance.

The Department of Health and Human Services has never quite said plainly that "If you do the following, you are compliant," said Gallagher in March. "They said, 'Do a risk assessment, document it and make sure you mitigate any findings that you have.' But there's no standard for what is minimum to be compliant. And that's causing the industry a lot of stress."

[See also: Risk assessments leave hospitals hamstrung.]

A simple audit – taking the HIPAA security rule and ensuring certain requirements are being met – "is not really a risk assessment," said Finney.

Instead, it requires a much more holistic approach to the organization – focusing on "people, process and technology" – that reviews and redresses shortcomings and vulnerabilities in all three areas.

"You have to document what you do," she added. "What did you do to remediate it?"

The HIPAA security rule "has been around for a long time now," Ricks pointed out. People are paying more attention to it now, "trying to check a box for meaningful use."

But really, he said, it's just a "smart business practice." Joking about the specter of a catastrophic breach, he added: "I don't think I would look good in an orange jumpsuit."

Later in the day, Healthcare IT News Editor Bernie Monegain sat down for an on-stage interview with the chief enforcer of the HIPAA privacy rule, Leon Rodriguez, director of HHS' Office of Civil Rights (OCR).

Asked when we will finally see the omnibus Final HIPAA Privacy and Security Rule, Rodriguez said only that "We, like you, are eagerly awaiting its issuance."

In the meantime, he said, OCR has been focused on transforming its organizational culture "to an enforcement oriented culture"

Until three or so years ago, he said, the agency's strategy was focused on "specific investigations into specific incidents."


Since HITECH, however, the mandate has been to do something far broader in focus, said Rodriguez. "We have moved into an area of more assertive enforcement."

There have been – and will continue to be – "more monetary settlements," be they from physician practices, hospitals, health plans or state social services agencies.


"Everyone of those is a message to the rest of the industry," he said.

[See also: HHS names Rodriguez chief health data privacy enforcer.]

Still, OCR is committed to "doing enforcement in a balanced way that is coupled with education," said Rodriguez.

With experience both as a former prosecutor and as a counsel for healthcare providers, he says he sees these issues from all sides. "Enforcement does breed compliance," said Rodriguez. "But enforcement also needs to be mindful of business realties."

Still, he said, "We expect compliance because the patient expects compliance." For the grand project of electronic health records and health information exchange to work, "There has to be bedrock patient trust.

To the question of why risk assessments are so difficult for so many providers, Rodriguez admitted that many larger organizations have experience, having learned the hard way of their vulnerabilities "because they had experience with fraud and abuse."

For other, perhaps smaller, providers, there's always the question of where to direct management attention and resources. "There has been some real progress made, but there's still a long way to go," he said. 


For his part, Rodriguez said OCR's workload has quintupled in the years since the HITECH privacy rule came along.

The threats are manifold, he said – "theft, loss and unauthorized disclosure" are the biggest ones. Hacking? Not as much. That's just one reason why, "in addition to technological safeguards," providers need to focus on administrative and physical safeguards."

Rodriguez noted that, as part of OCRs moves toward a culture of enforcement and education, it has been moving away from "breach porn" – splashy press releases about troves of paper records found in a hospital's dumpster, say – and more toward an assiduous effort of ensuring that organizations nationwide "are engaging in the process."

It's "a lot nerdier, but that's what's really going to make all the difference in the long-run," he said. "We're focusing on the roadmap of compliance."

Enforcement is now a "fact of life," said Rodriguez. "It is having a beneficial effect on compliance." As such, "The number of monetary enforcement cases will continue to grow."

Still, he said, "We are not missing opportunities to get out and educate the industry."

OCR is cognizant that "bad things will happen, breaches will happen," he said.

That's why, "You will not hear me, except in quotations, use the phrase the Wall of Shame," said Rodriguez, referring to OCR's infamous list of large-scaled breaches.

Shaming "is not the purpose of the breach notification program," he said. Fostering a culture of privacy and security is. "At the end of the day it comes down to leadership: Owning compliance issues and doing so consistently."

In other words: Don't do risk assessments. Assess risk.