While some of the legal requirements on your organization can seem overly burdensome, there are times when legal requirements also align nicely with what makes good business sense. Risk assessments in the healthcare industry are a good example of that alignment.
The Law
The HIPAA Security Rule requires (among other things) that all Covered Entities (CEs) and Business Associates (BAs) conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). See 45 C.F.R. § 164.308(a)(1)(ii)(A). The Security Rule also requires that CEs and BAs implement security measures to appropriately reduce risks and vulnerabilities. See 45 C.F.R. § 164.308(a)(1)(ii)(B).
Good Business Sense
As a practical matter, conducting a risk assessment and implementing appropriate changes is also a smart business move. Reducing risks and vulnerabilities helps an organization better protect its data, systems, and operations, as well as its customers, patients, members, end users, employees, and business partners – all things that will ultimately impact the bottom line.
To effectively reduce risks and vulnerabilities, an organization must first identify what are the realistic risks and threats to, and vulnerabilities within, the organization. That’s where the risk assessment comes into play. The risk assessment, whether completed with internal resources or through the services of a qualified third party, is the tool that allows the organization to get a realistic picture of “what’s out there” and what could adversely affect the organization. After obtaining the realistic picture of risks, threats and vulnerabilities, the organization can then review its current security posture to determine how it currently addresses (or does not address) the identified risks, threats and vulnerabilities. At that point, the organization will be able to identify and prioritize the changes that should be made to appropriately reduce risk.
Combining Legal and Technical
Decisions regarding which security measures, policies and procedures to change or implement are best made with the benefit of both technical and legal advice. The technical advice component will help an organization identify and implement technical solutions and data security measures, policies and procedures that provide meaningful protection for the organization’s data and systems. The legal advice component will help an organization ensure that the potential solutions and security measures, policies and procedures meet the required legal standards, and help the organization understand the legal risks associated with security-related decisions and potential adverse events.
Ultimately, an organization needs to be confident that its approach to security is both practically appropriate and legally sufficient.
Pro Tip for Assessments
Prior to conducting a risk assessment, an organization should discuss the endeavor with counsel. Depending upon the circumstances, an organization might be able to protect from later disclosure to third parties (e.g., plaintiffs!) certain discussions and information developed during the assessment.
Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have questions about this post, or any data security, data privacy or technology issues please contact Bobby or one of our Cybersecurity and Technology Team members.