HIPAA Compliance and the Limits of Gap Analyses | Practical Law

HIPAA Compliance and the Limits of Gap Analyses | Practical Law

The Department of Health and Human Services (HHS) has addressed the differences between risk analyses and gap analyses for covered entities and business associates complying with the security requirements for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). This Article discusses the limits of gap analyses in the HIPAA context and key characteristics of a HIPAA risk analysis.

HIPAA Compliance and the Limits of Gap Analyses

Practical Law Article w-014-8714 (Approx. 9 pages)

HIPAA Compliance and the Limits of Gap Analyses

by Practical Law Employee Benefits & Executive Compensation
Law stated as of 29 May 2018USA (National/Federal)
The Department of Health and Human Services (HHS) has addressed the differences between risk analyses and gap analyses for covered entities and business associates complying with the security requirements for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). This Article discusses the limits of gap analyses in the HIPAA context and key characteristics of a HIPAA risk analysis.
In newsletter guidance (April 2018) addressing compliance with the HIPAA Security Rule, which contains standards for protecting the confidentiality and availability of electronic protected health information (ePHI), the Department of Health and Human Services (HHS):
  • Compared and contrasted the typical features of risk analyses and gap analyses.
  • Concluded that gap analyses are insufficient to satisfy the Security Rule's risk analysis requirements.
(45 C.F.R. § 164.308(a)(1)(ii)(A); see Practice Note, HIPAA Security Rule and HIPAA Privacy, Security, and Breach Notification Toolkit.)
As background, HIPAA's privacy, security, and breach notification rules require covered entities (CEs), which include group health plans, and their business associates (BAs), to safeguard ePHI using reasonable and appropriate security measures. Regarding these HIPAA compliance requirements, see:
In particular, the HIPAA Security Rule requires CEs and BAs to conduct a complete and accurate assessment of the risks and vulnerabilities to ePHI (45 C.F.R. § 164.308(a)(1)(ii)(A)). This assessment is known as a risk analysis (see Legal Update, Despite Six Risk Analyses, University Must Pay $2.7 Million in HIPAA Settlement). Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of ePHI.

Risk Analyses and Gap Analyses Compared

HHS defines a risk analysis as a comprehensive evaluation of a CE's or BA's "enterprise" that:
  • Identifies ePHI and the risks and vulnerabilities to the ePHI.
  • Is used to make changes to the CE's or BA's ePHI systems to reduce any risks identified in the risk analysis to a reasonable level.
(HHS commonly uses the term "enterprise" in referring to the scope of a CE's or BA's operations. As part of negotiated settlements involving HIPAA compliance, HHS often requires CEs and BAs to conduct enterprise-wide risk assessments addressing threats to the confidentiality of ePHI; see Legal Update, Stolen Laptop Bag Leads to $750,000 HIPAA Settlement.)
By contrast, a gap analysis, though not required under the HIPAA Security Rule, can be used to determine whether specific standards and implementation specifications under the Security Rule have been satisfied (see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements). HHS defines a gap analysis as a more narrow review of a CE's or BA's enterprise to assess whether certain controls or safeguards required under the Security Rule have been implemented.
By performing a gap analysis, a CE or BA can obtain a high-level overview of whether the appropriate controls for protecting ePHI are in place (or to identify potential gaps where controls have not been implemented). However, a gap analysis is not the kind of comprehensive evaluation that is more typical of a risk analysis. A gap analysis provides only a partial assessment of an entity's enterprise.

Hallmarks of an Effective HIPAA Risk Analysis

HHS has recognized that the Security Rule does not require:
  • A specific methodology to assess risks to ePHI.
  • Documentation of a risk analysis to be memorialized in a specific format.
In its April 2018 guidance, however, HHS identified the following eight elements that are common to a risk analysis and should be part of the risk analysis process.

Scope

A CE's or BA's risk analysis should review the potential risks to all an entity's ePHI, regardless of:
  • The particular electronic medium in which the ePHI is created, received, maintained, or transmitted.
  • The source or location of the entity's ePHI.
In properly scoping a risk analysis, a CE or BA should consider all the places that may hold ePHI. For a health plan, for example, this may require the CE to consider how ePHI moves through or otherwise involves the plan (for example, in the enrollment or benefit claims contexts), including instances where ePHI flows between the plan and plan sponsor.
As another example, one of HHS's best-known HIPAA settlement agreements involved a health plan that impermissibly disclosed the ePHI of more than 344,000 individuals by failing to erase photocopier hard drives before returning the photocopiers to a leasing company (see Practice Note, HIPAA Settlement Agreements and Group Health Plans: Failure to Erase Hard Drives). As another example, health plans should consider ePHI maintained by cloud storage providers, see:
HHS apparently expects CEs and BAs to develop a relatively formal process for conducting their risk analyses. For example, under HHS's Phase 2 HIPAA Audit Protocols, auditors were instructed to ask whether a CE or BE has policies and procedures in place to conduct their risk analyses (see Legal Update HHS Launches Phase 2 of HIPAA Audit Program). Auditors then evaluated whether the policies and procedures addressed:
  • The purpose and scope of the risk analysis.
  • Workforce members' roles and responsibilities.
  • Management involvement in the risk analysis.
  • How frequently the risk analysis was reviewed and updated (see Risk Analyses Should Be Reviewed and Updated).

Data Collection and Inventory

In considering the potential risks to its ePHI, a CE or BA should identify all the locations and information systems where ePHI is created, received, maintained, or transmitted. This inventory should include:
  • Workstations and servers.
  • Applications, mobile devices, electronic media, communications equipment, networks, and physical locations.
A 2016 enforcement action and settlement agreement between HHS and a CE illustrated the variety of locations where individuals' ePHI may be housed and which should therefore be considered in an entity's risk analysis. In that action, a network server purchased by a CE for storing files included default settings that permitted anyone with an internet connection to access files containing individuals' ePHI (see Legal Update, ePHI on the Internet Results in $2.14 Million HIPAA Settlement and Practice Note, HIPAA Enforcement and Group Health Plans: Settlement Agreement). The CE had failed to change the server's default settings.
For health plans, the relationship with the plan sponsor may be a key area where ePHI is transmitted. As part of its analysis, for example, the plan may want to confirm that plan documents provide that the plan sponsor will appropriately protect any ePHI that is created, received, maintained, or transmitted to (or by) the plan sponsor on the plan's behalf.

Identifying and Documenting Potential Threats and Vulnerabilities

A risk analysis should identify both technical and non-technical vulnerabilities. Technical vulnerabilities can include:
  • Holes, flaws, or weaknesses in information systems.
  • Incorrectly implemented or configured, or both, information systems.
A risk analysis that identifies these vulnerabilities is a common element of corrective action plans between CEs and HHS in the enforcement context. (For example, see Legal Update, HHS Nets Over $5 Million in HIPAA Settlements Involving Stolen Laptops.)

Assessing Current Security Measures

As part of its risk analysis, a CE or BA should assess and document the effectiveness of the current controls it has implemented. For example, this may include:
With some regularity, failures to implement access controls, such as encryption and decryption, have resulted in HHS settlement agreements or, in one case, imposition of civil money penalties (see Legal Update, HHS Imposes $3.2 Million in Civil Money Penalties for Failure to Encrypt).

Determining a Threat's Likelihood and Potential Impact

A CE or BA should determine and document:
  • The likelihood that a particular threat may trigger or exploit a vulnerability.
  • The consequences if a vulnerability is triggered or exploited.
As one example, former employees whose access to a CE's or BA's information technology systems and databases is not terminated at the end of employment may be able to exploit existing systems or database vulnerabilities. Former employees may have close familiarity with a CE's or BA's systems and, depending on the circumstances of their termination, a motive to exploit those vulnerabilities. These issues have resulted in expensive HHS settlement agreements (see Legal Update, $3.5 Million HIPAA Settlement Highlights Need for Training).

Determining Risk Levels

A CE or BA should evaluate and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. By determining these risk levels, the CE or BA:
  • Can understand where its greatest risks lie.
  • Prioritize resources to reduce those risks.
For example, a CE or BA with a workforce of individuals that travel frequently for business may conclude that its greatest ePHI vulnerabilities involve:
  • Individuals' use of laptops, mobile devices, and thumb drives.
  • The risk that this hardware may be stolen in transit (for example, from automobiles or at airports).
(See Practice Note, HIPAA Enforcement and Group Health Plans: Settlement Agreements: Stolen or Lost Laptops and Mobile Devices.)
In addition, hackers and the use of malicious malware have presented an increasing risk for many CEs and BAs in recent years (see Practice Note, HIPAA Enforcement and Group Health Plans: Settlement Agreements: Malicious Malware).

Risk Analysis Documentation

The Security Rule does not specify a form or format for CEs and BAs to use in documenting their risk analyses. However, this documentation should contain enough detail to demonstrate that an accurate and complete risk analysis was performed.
HHS has addressed the situation where a CE or BA that is the subject of an HHS investigation, compliance review, or audit (for example, after furnishing a required breach notification) submits a risk analysis that lacks sufficient detail (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). HHS may require that a CE or BA lacking sufficient detail to offer additional documentation to demonstrate that it conducted an accurate and complete risk analysis.
The Phase 2 Audit Protocols offered insight into the issues HHS wants to see addressed in risk analysis documentation. For example, the written risk analysis should include:
  • A defined scope that identifies all a CE's or BA's systems that create, transmit, maintain, or transmit ePHI.
  • Details of identified threats and vulnerabilities.
  • An assessment of current security measures.
  • An impact and likelihood analysis.
  • A risk rating.

Risk Analyses Should Be Reviewed and Updated

Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly. The Security Rule does not specify how often risk analyses must be performed. However, risk analysis and risk management processes are most effective when they:
  • Are integrated into a CE's or BA's business processes.
  • Can help ensure that risks are timely identified and addressed.
In its Phase 2 Audit Protocols, HHS indicated that risk analyses may need to be reviewed and updated in response to:
  • Changes in the CE's or BA's environment or operations.
  • Security incidents.
  • Occurrence of a significant event (which presumably includes a breach of ePHI).
An auditor may ask a CE or BA that has not updated its original written risk analysis because it was initially drafted and conducted to provide an explanation of why this is the case.
In the health plan context, for example, it should be confirmed that plan documents continue to include language requiring the plan sponsor to implement safeguards to reasonably protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on the plan's behalf. These protections should also be carried out in practice.