HIPAA Security Risk Analysis Requirements

Topic: HIPPA Security Risk Assessment and Compliance
Moderator: Monique Dever
Presenter: Srini Kolathur, Director, EHR 2.0

We're going to go ahead and get started. My name is Monique Dever, and I’m the Marketing Executive here at Patagonia Health. I’ll be today’s moderator.

You’ll be on mute throughout the presentation. You can shrink or expand the attendee panel at any time using the small red arrow. If you have questions during the webinar, please type them into the Questions or Chat box. We’ll address those at the end of the presentation unless we receive a large number, in which case we may answer a few along the way.

You’ll also see poll questions appear on your screen. Please answer those—they’re simple yes/no questions to help guide our discussion.

Today’s presenter is Srini Kolathur, Director at EHR 2.0. Srini helps companies comply effectively with regulatory requirements such as SOX, PCI, and HIPPA compliance. He advocates for best-practice-based security and compliance programs that help organizations achieve their business objectives.

Srini:
Thank you, Monique, for the wonderful introduction. Before we get started, shall we go ahead and do the first poll?

Monique:
Sure.

Srini:
Great. Most of you should now see a question on your screen. This helps us understand the kind of participants we have on the call so we can tailor our presentation accordingly. The question is: Have you conducted a comprehensive security risk assessment in the last year?
Please select Yes, No, or Not sure.

We’ll give it another 10 seconds before closing the poll. Okay, thank you—let’s close it and share the results.

So, 53% of you said No, 26% said Yes, and 21% are Not sure. Essentially, we can take that as about half of the participants having done a security assessment within the last year.

The next question relates to participation in the Meaningful Use Program. About 40% of today’s attendees are currently participating. This is important because if you’re attesting “Yes” to your security risk assessment question under Meaningful Use, that means you should have already completed your assessment to qualify for incentive payments.

Thanks again for participating in the poll. Let’s move into the main presentation.

About EHR 2.0

As Monique mentioned, I’m with EHR 2.0. We help healthcare organizations develop and implement best practices to secure their IT systems—particularly patient data—and comply with HIPPA and HITECH regulations.

We provide consulting, customized assessments, and a wide range of educational programs including webinars, onsite training, and online courses. If your organization requires customized HIPPA training, we can accommodate that as well.

Before we go further, please note that this webinar is for educational purposes only and should not be construed as legal advice. Always consult your attorney for specific legal questions.

Agenda

We’ll spend about 35–40 minutes covering key points about:

• Conducting a security risk assessment
  
  
• HIPPA and HITECH requirements
  
  
• Common data breaches and settlements
  
  
• OCR audit process and enforcement
  
  
• Practical steps for compliance
  
  

If we don’t have time for all questions today, we’ll follow up with you afterward.

Key Terms

You’ll hear several terms throughout this presentation:

• HHS – Health and Human Services
  
  
• OCR – Office for Civil Rights (the enforcement authority under HHS)
  
  
• HITECH – Health Information Technology for Economic and Clinical Health Act (introduced around 2009–2010)
  
  
• HIPPA – Health Insurance Portability and Accountability Act
  
  
• PHI – Protected Health Information
  
  

Covered Entities are organizations that provide direct patient care and access to health data. Business Associates perform services for covered entities involving PHI.
Some organizations, such as public health departments, may be hybrid entities—partially covered under HIPPA.

If you’re not handling any electronic protected health information, you’re not considered a HIPPA-covered entity or business associate.

Data Breaches in Public Health

Public health departments are particularly vulnerable to data breaches. HHS maintains a public database of reported breaches affecting 500 or more individuals.

Here are the five main causes of reported data breaches:

1. Unencrypted tapes – Backups of entire PHI systems that are not encrypted.
   
   
2. Inadvertent emails – Sensitive data sent to the wrong recipient or with unprotected attachments.
   
   
3. Poor data disposal – Improperly sanitized hard drives, servers, or paper files.
   
   
4. Theft by staff – Insider theft or misuse of data.
   
   
5. Hacking – Though high-profile, hacking accounts for only about 15–20% of all breaches.
   
   

Unencrypted data and internal mishandling remain the most common causes.

Medical data is especially valuable on the black market, so securing it must be a top priority.

Examples of HIPPA Settlements

When a data breach occurs, HHS may investigate and impose financial penalties. For example:

• Care New England System (2016) – Lost unencrypted backup tapes affecting 14,000 patients. Lack of a Business Associate Agreement resulted in a $400,000 settlement.
  
  
• Skagit County Public Health (2014) – Improperly secured web servers exposed 1,400 records for two weeks and failed to notify patients. The result was a $215,000 settlement.
  
  

These cases highlight the importance of proper encryption, timely breach notification, and maintaining valid business associate agreements.

OCR Investigations and Penalties

Originally, investigations began only after patient complaints. Now, under the HITECH Act, OCR conducts random audits of covered entities and business associates.

Violations can lead to civil monetary penalties depending on severity:

• Unknowing violation
  
  
• Reasonable cause
  
  
• Willful neglect (corrected or uncorrected)
  
  

Penalties range from $100 to $50,000 per violation, up to $1.5 million per year per category. Repeated violations across multiple years can quickly multiply these totals.

OCR is also expanding its pool of HIPPA auditors to increase enforcement.

Why Risk Assessments Are Crucial

Key reasons to focus on security risk assessments:

• Frequent security breaches and rising ransomware threats
  
  
• OCR auditors request your Security Risk Analysis Report first
  
  
• HIPPA enforcement and financial penalties are increasing
  
  
• Maintaining patient trust requires strong security measures
  
  

The HIPPA Framework

HIPPA focuses on three primary areas:

1. Privacy Rule – Ensures confidentiality of PHI and regulates how information is shared with third parties.
   
   
2. Security Rule – Defines technical, administrative, and physical safeguards for electronic PHI.
   
   
3. Breach Notification Rule – Outlines the process for notifying patients and HHS in the event of a data breach.
   
   

Business associates are directly liable for compliance with the Security and Breach Notification Rules.

Key HITECH Act Updates

HITECH strengthened HIPPA in several ways:

• Extended liability to business associates
  
  
• Introduced stricter breach notification rules (within 60 days)
  
  
• Increased penalties for noncompliance
  
  
• Authorized random OCR audits
  
  
• Linked HIPPA compliance with Meaningful Use program incentives
  
  

Since 2011, CMS and state Medicaid agencies have paid over $30 billion in incentives to organizations adopting compliant EHR systems.

Conducting a Security Risk Assessment

HIPPA requires compliance with three safeguard categories:

• Administrative
  
  
• Physical
  
  
• Technical
  
  

Steps to a Successful Risk Assessment

1. Identify all systems that store or transmit PHI—servers, laptops, storage devices, and cloud-based platforms.
   
   
2. Assess risks – Evaluate likelihood and impact of potential threats.
   
   
3. Develop mitigation plans – Address high and medium risks within specific timeframes.
   
   
4. Maintain documentation – Keep all policies, training logs, and risk analysis reports for at least six years.
   
   

Examples of Common Risks

• Unencrypted laptops taken offsite with PHI data (high risk)
  
  
• Lack of staff training on phishing or ransomware (high risk)
  
  
• Outdated access control policies (medium risk)
  
  

Encryption remains one of the most critical safeguards.

Policies, Procedures, and Documentation

Your organization should maintain:

• Information security policies
  
  
• Access control and sanction policies
  
  
• Contingency plans for disaster recovery
  
  
• Incident response procedures (e.g., ransomware response steps)
  
  
• Role-based training for staff based on their responsibilities
  
  
• Business Associate Agreements with all vendors handling PHI
  
  

Auditors may request up to six years of documentation, including policies, training logs, and access reviews.

OCR Audits (Phase 2)

OCR’s second phase of audits is currently in progress. Roughly 200 entities, including covered entities and business associates, have been selected for desk and onsite audits. Future enforcement actions will depend on findings from these audits.

Key Takeaways

• HHS enforcement is increasing significantly.
  
  
• Proper handling of PHI drives your HIPPA compliance strategy.
  
  
• Security Risk Assessments and documented policies are core requirements.
  
  
• Public health departments and community health centers often have complex systems—scope assessments carefully.
  
  
• Maintain an updated risk analysis report annually and keep documentation for six years.
  
  

Cost and Engagement Overview

Typical security risk assessments range from $3,000 and up, depending on organization size, number of sites, servers, and systems involved.

Deliverables include:

• Full inventory list of PHI systems
  
  
• Detailed risk analysis report
  
  
• Risk mitigation plan
  
  
• Executive summary report for sharing with partners
  
  
• Secure portal for document storage and audit support (up to six years)
  
  

Follow-up engagements typically cost about 20–30% less in subsequent years.

Q&A Session

Q: Can we get a copy of the presentation?
A: Yes. All attendees will receive a copy of the presentation via email.

Q: Is there a sample risk assessment template?
A: Yes. We’ll provide a de-identified sample report for reference. Keep in mind that every organization’s setup is unique, so templates should only be used as guidance.

Q: Would the risk analysis include recommendations for text messaging policies?
A: Yes. We provide guidance on secure text messaging practices and policy development.

Q: What issues do you see most during assessments?
A: The most common problems are missing formal risk reports, incomplete device inventories, and lack of annual staff training.

Q: Is the $3,000 fee one-time?
A: The assessment should be done annually. The initial year is typically the most detailed; follow-up assessments usually cost less.

Closing Remarks

Monique:
Thank you very much, Srini, for your presentation and insights.

Srini:
Thank you, Monique. It was a pleasure.

Monique:
And thank you to everyone who attended today’s webinar. We’ll email you the presentation and additional materials soon. We hope to see you at our future webinars.