Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare…

If you have not been affected by the Change Healthcare cyberattack, you have no doubt heard about the sinister actions of the ALPHV Blackcat ransomware gang and the resulting chaos from their February data breach they caused. At the time of this article, the details of the Change Healthcare attack are still widely unknown to the public but two things are certain… (1) the attack should serve as a cautionary tale to all entities handling electronic protected health information (ePHI) and (2) it is a perfect reminder that a HIPAA Risk Analysis is a critical component to the security of your sensitive data.

A Risk Analysis is an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. According to the Guidance on Risk Analysis webpage from the U.S. Department of Health and Human Services (HHS), “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.”

The Office for Civil Rights (OCR) is responsible for enforcing federal HIPAA Rules and investigating complaints and violations. In many prior OCR investigations, pharmacies and other healthcare entities settling potential HIPAA violations are often cited with failure to perform an accurate and thorough risk analysis. Since HHS considers a risk analysis to be “the first step” in complying with the HIPAA Security Rule, OCR anticipates that a failure to complete the risk analysis will undoubtedly lead to other insufficiencies and a probable hefty monetary settlement.

As stated in the March 5, 2024 press release from HHS regarding the Change Healthcare cyberattack, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Take steps now to evaluate and strengthen the security and integrity of your ePHI!

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • A new risk analysis should be conducted at least annually, or whenever there is a significant change to the information systems or security policies and procedures
    • Deploying new computer equipment (i.e., anything that houses ePHI) or installing a new gate are situations that require updates to your risk analysis
  • Keep all documentation related to HIPAA for a minimum of six years after the last effective date
  • For more information from HHS regarding the Change Healthcare cyberattack and the coordinated efforts and flexibilities in place, refer to their March 5, 2024 press release
  • Check out the newly released HHS voluntary performance goals to enhance cybersecurity in the health sector and their new gateway website developed to increase accessibility and awareness of cybersecurity information and resources from HHS and other federal agencies
  • Feeling overwhelmed? Don’t know where to start? If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Program, we suggest scheduling a services overview to obtain additional information. The compliance program includes a custom HIPAA Risk Analysis. It is in your best interest to identify threats, and corresponding vulnerabilities associated with those threats, so you can develop reasonable safeguards, where practicable.

Sara Hathaway, PharmD