Building a HIPAA Toolbox: Part 5
The core of an effective compliance program is managing risk assessment.
The purpose of Office of Inspector General (OIG) compliance guidance is to encourage use of internal controls to efficiently monitor adherence to applicable statutes, regulations, and program requirements (65 FR 59434, October 5, 2000). HIPAA implements regulations that similarly encourage internal controls for organizations to maintain the privacy and security of protected health information (PHI) (45 C.F.R. §§ 164.530, 164.306). While both OIG guidance and HIPAA regulations provide the basic structure for implementation of compliance programs, HIPAA provides additional details regarding specific safeguards. Although clearly appropriate for PHI confidentiality and security, some of these safeguards are beneficial in developing an effective corporate compliance program.
Risk Assessment and Management Take Focus
Compliance risk assessment and management is a focal point for Office for Civil Rights (OCR) HIPAA investigations, and is a frequently cited deficiency in HIPAA settlement agreements and enforcement actions. Although not as clearly labeled as in the HIPAA regulations, OIG compliance guidance similarly recommends consideration of fraud and abuse topics that need to be addressed, based on your organization’s specific needs (65 FR 59434, 59438, October 5, 2000). Ultimately, whether for fraud and abuse or privacy and security, your organization’s compliance program will not be fully effective without a risk assessment and management process.
Risk assessment is the process of identifying, estimating, and prioritizing information related to organizational risks (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3, September 2012). There is no one method that is endorsed by regulators for performing a risk assessment. Every organization may vary in the process to reflect its structure or particular documentation methods; however, an effective risk assessment and management process should include, at least, the following steps:
The first step in the risk assessment process is to take an inventory of your organization. For HIPAA compliance, the inventory should focus on identifying all of the locations where PHI is stored or transmitted. This usually begins with the servers storing store electronic health records (EHRs) or practice management software. It should expand to include all other ancillary storage of PHI, such as email systems, Microsoft Office®, backup drives, and laptop computers.
For a corporate compliance program, inventory begins with identifying service lines. Within each service line, inventory should include CPT®, HCPCS Level II codes, ICD-9-CM codes, and modifiers used on claims. Inventory should also include the volumes of each code for each provider.
Diagram Information Flow
The risk assessment should next diagram the flow of information through your organization. For HIPAA compliance, this flow should track the movement of PHI in and out of your organization. For a corporate compliance program, it should track the information relevant for billing from the patient visit through the entire collections process.
Define the Scope
The first two steps assume a comprehensive risk assessment is being performed. Not every risk assessment must be comprehensive. A risk assessment may focus on HIPAA implications related to EHR implementation or other sections of your organization’s information systems. A compliance risk assessment may focus on a specific department or service line. Where the risk assessment is narrower in scope, it should be clearly defined and communicated in the documentation.
A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability is a flaw or weakness in system procedures, design, implementation, or internal controls that could be exercised and result in a breach or a violation (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3.1, September 2012). This step creates the greatest variance between organizational risk assessments. To determine potential threats and vulnerabilities, your organization might consider information such as:
- Transmittals, alerts, or relevant guidance from regulatory agencies or payers
- Recent audit results or compliance investigations
- Coding or regulatory changes
- Other industry guidance
The more specific your organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.
The end product of any risk assessment is determining the risk level associated with each threat and vulnerability and the overall risk for your organization. A risk is the extent to which your organization is threatened by a particular event considering:
- The probability that a particular threat will exercise a particular vulnerability; and
- The resulting impact, if this occurs.
There are a number of different methodologies for calculating risk level. As part of the process, your organization should document the methodology used. What factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?
Much of the industry guidance available focuses on performing and documenting the risk assessment. For the process to be complete, your organization must also respond to identified risks and document the responses.
For each identified risk, document the potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. You can then integrate the risk management plan into future assessments to evaluate the effectiveness of each response.
Make It a Driving Force
The risk assessment and management process is the driving force behind an effective compliance program, regardless of whether it’s protecting confidentiality and security of information, or reducing fraud and abuse. If implemented as a continual process within your organization, it can provide the structure necessary for your compliance program to evolve and respond to industry changes.
Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage, LLP. She serves on the National Advisory Board and Legal Advisory Board for AAPC. Harper works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-kickback, state licensure, and Medicare conditions of payment and participation. She is a member of the Kansas City, Missouri, local chapter.