A recent marketing come-on to healthcare practices and business associates from a company that provides an online HIPAA Security Rule risk assessment triggered some old memories. You know the ad, “Give us two hours of your time and we will give you a risk analysis.” If you buy into their online risk assessment, they promise that they will pay the first $100,000 of any fine or penalty levied by OCR or CMS.

Insuring against losses from fines and penalties resulting from a bad risk analysis brought to mind a theory introduced to me a very long time ago: insurance is like gambling. You are betting that a certain event or loss will occur from which you would have to pay good money to fix or become whole. The firm offering coverage is betting that through its pricing or rules for coverage it can control its risk of loss, minimizing the likelihood it will lose its bet.

The cross marketing of a risk analysis to comply with the HIPAA Security Rule, Meaningful Use requirements and gambling on the likelihood of being penalized for HIPAA or Meaningful Use compliance failures turns the reasoning for safeguarding your information assets on its head. To put it another way, the security risk analysis is the foundation of your enterprise’s protection of its most important assets: the personal and sensitive health information of your patients. When you build your safeguards for protecting the confidentiality, integrity and availability of your protected health information on a shaky risk analysis, it calls into question the effectiveness of every other decision you make to protect your PHI.

The HIPAA Security Rule requires covered entities like healthcare providers, hospitals and health plans to protect against reasonably anticipated threats or hazards to the security or integrity of the electronic protected health information (e-PHI) they create, maintain or transmit, and to put into place appropriate safeguards to reduce the risk from those security threats. The requirements of the Security Rule were expanded by the HITECH Act to include business associates, defined as contractors and vendors of covered entities who create, transmit or maintain e-PHI. The risk assessment is also a core requirement for eligible providers and hospitals seeking payment through the Meaningful Use Program. 

The Security Rule allows covered entities and business associates flexibility in developing measures to meet the requirements of the standards and implementation specification including consideration of organization size and type, complexity of the technology and infrastructure, human element, infrastructure, and the cost of security measures. The starting point for determining what is appropriate and reasonable is by conducting a risk analysis of the systems and technologies that create, transmit or store e-PHI as part of a comprehensive process to safeguard the confidentiality, integrity and availability of patient data. 

The attraction to adding insurance against government fines and penalties from the guy who sells you a risk assessment product must be the implicit lack of confidence in the accuracy or quality of the identification and mitigation of the threats and vulnerabilities to your healthcare practice. But, government fines and penalties only represent a portion of the expense for the poor security practices that begin with a cut-rate information security risk assessment. There is the money you will spend to mitigate the harm from a security incident, like the costs attributable to complete state or federal mandated breach notification requirements; the human resources and business disruption to responding to the incident, replacing the compromised information assets; and, the loss of trust and goodwill of your customers and patients that entrusted your organization with its most sensitive and private information concerning their health and well-being.

Before gambling your business or healthcare practice, you should carefully consider how your approach to conducting an information security risk analysis stacks up. How can a two hour online survey adequately address the regulatory requirements and help organizations implement an ongoing risk management program? Does the process includes a strategic assessment leveraging technical testing, a physical survey, a programmatic gap analysis and policy review, and a formal risk analysis using the NIST 800-30 standard? Can the process collaborate with your team to prioritize and build effective remediation plans? Will the deliverables stand-up as supporting documentation in the event of an CMS Meaningful Use audit or OCR compliance review?

Sure, you can buy an online risk analysis that guarantees to insure you against the fines and penalties when the government determines your organization has not taken reasonable efforts to safeguard your PHI.  But its a sucker’s bet.