The cost of not conducting a risk analysis

A recent fine serves as a continued lesson for providers and medical practices to conduct a comprehensive risk analysis, one that can mitigate their risk of penalty from the U.S. Department of Health and Human Services (HHS)’s Health App FAQs.

In late May, Medical Informatics Engineering, Inc. (MIE), an Indiana-based medical records service agreed to pay $100,000 and take corrective action to settle potential violations of the HIPAA Privacy Rule and Security Rule after a cyberattack affected 3.5 million people. HHS’s fine appears to reflect the new penalty amounts.

The company self-disclosed the cyberattack July 23, 2015. Nearly four years later, the Office for Civil Rights’ investigation revealed that “MIE did not conduct a comprehensive [enterprise-wide] risk analysis prior to the breach” as required annually under 45 C.F.R. § 164.308(a)(1)(ii)(A). This particular section of the Security Rule requires an annual risk analysis to assess the potential risks and vulnerabilities associated with the confidentiality, integrity and availability of the data.  

This breach and the associated legal, compliance and reputational costs could have been avoided through a comprehensive risk assessment.

Taking this recent action as a “learning moment,” here are two lessons that providers should take to heart. First, if providers read the resolution agreements associated with the imposition of HIPAA penalties as well as class action lawsuits, they will see one of the top areas of non-compliance is not conducting a risk analysis. Second, in light of the HHS Health App FAQs, a comprehensive risk analysis and adequate due diligence with an app (or other technology) company can mitigate the wrongful disclosure of protected health information, penalties and legal costs.

One of the FAQs poses the following concern: Does HIPAA require a covered entity or its EHR System developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?

The short answer: It depends.

The long answer: “HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).  

“However, if the app was developed to create, receive, maintain or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.”

Because a business associate would be required in these circumstances and business associate agreements are contracts, which by their very nature require the parties to agree that they are respectively in compliance with the Privacy Rule and Security Rule, it follows that a material statement is being made that a risk analysis has been conducted along with other technical, administrative and physical safeguards.

Therefore, providers should take this opportunity to learn from MIE’s fine and consider the implications of not conducting a risk analysis for their own medical practices.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.