HIPAA’s Security Rule requires that Covered Entities perform “periodic” Security Risk Assessments. All too often, however, this regulatory obligation is ignored altogether, performed extremely sporadically, or treated as a regulatory hoop-jumping exercise to be completed as quickly as possible. Aside increasing the risk of HIPAA liability, treating the Security Rule Risk Assessment in these ways means missing out on an opportunity to explore and shore up the entity’s data security systems.
Despite what criticisms may exist for other parts of the HIPAA regulations, the Security Rule can be a remarkably helpful tool. It was rolled out in 2013, and it has survived the test of time despite astonishing changes in technology. Indeed, one of the reasons for this is that the Security Rule expressly incorporates a “flexibility of approach,” making it applicable to Covered Entities of all sizes and configurations.
At its core, the Security Rule risk aims to ensure the confidentiality, integrity, and availability of electronic PHI, and the elements of the rule are pretty much the very same things that would be expected of any responsibility organization operating in the digital age anyway.
When done properly, the Security Rule Risk Assessment helps entities to examine their operations to identify where and how their data is stored; reasonably anticipate and address the risks that may exist to their data; and identify the various ways in which the entity manages its operations with respect to a fairly logical set of required and addressable criteria. This exercise can be critically important in helping in-house counsel and the compliance team to understand where the organization’s information “lives,” who is in charge of securing the data, and what areas of potential vulnerability require attention.
Lawyers do not often applaud regulations, but in the case of data security practices, HIPAA Security Rule can be tremendously helpful, and all entities should take it very seriously.