The many reasons why the HIPAA Security Rule is vital for sponsors of group health plans and their participants include:

• Protecting participant privacy
• Maintaining data integrity
• Ensuring data availability
• Mitigating financial and reputational risks
• Adapting to technological advancements

This article discusses when to conduct HIPAA security and HITECH risk assessments, particularly in light of two relatively recent trends that have created new IT risks as cybercrime continues to accelerate.

When to conduct a HIPAA security and HITECH risk assessment

The HIPAA Security Rule requires health plan sponsors (and other “covered entities”) to perform risk assessments periodically or in response to environmental or operational changes in the use of ePHI. While the rule does not specify what “periodic” means, industry best practices suggest that, in general, these risk assessments should be conducted at least every two or three years. They should also be conducted when an organization makes changes to its use of ePHI, such as implementing a new software system, increasing the use of mobile devices or replacing entity-owned computers.

For some organizations, it may be prudent to conduct a HIPAA security and HITECH risk assessment annually so that they can design and maintain a manageable, effective risk assessment schedule — especially considering proposed updates to the HIPAA Security Rule, published on December 27, 2024, which would require annual risk assessments, though these regulations have not yet been finalized. Additionally, the Department of Labor’s Cybersecurity Program Best Practices recommends annual risk assessments for ERISA plans.

This recommendation is especially relevant for health plan sponsors that significantly modified their IT operations in response to the COVID-19 pandemic. To ensure business continuity, many plan sponsors swiftly migrated to a cloud environment and/or quickly allowed and enabled people to work remotely.

Risks associated with the use of cloud-based technology

Transitioning to a cloud environment has offered organizations numerous benefits, including enhanced scalability, increased flexibility and cost efficiency. However, moving to the cloud rapidly without implementing robust security controls may have exposed organizations to several significant risks that can compromise participant privacy and result in legal repercussions and substantial financial penalties: ransomware, data breaches (due to weak access controls, shared virtual infrastructure, etc.), lack of visibility into the environment (e.g., inadequate network mapping), shared responsibility confusion regarding HIPAA security  (between the client and their cloud provider), and other risks based on a lack of understanding or malicious activities.

Cyberattacks are becoming increasingly sophisticated. Adequate protection requires proactive security measures, including strong security controls, such as multi-factor authentication and multi-tenancy access controls, end-to-end encryption, and multiple other administrative, technical and physical controls. Such controls help mitigate the risks and safeguard ePHI.

Risks related to the shift to full or partial remote work

The shift to remote work has also introduced a host of IT security risks that cannot be ignored. Remote workers often rely on personal devices and home networks, which may lack the robust security measures, including security controls, suc as  typically implemented within an organization's IT infrastructure. This can lead to higher susceptibility to phishing attacks, malware and other cyber threats that can compromise sensitive data.

Remote work environments also often lack the physical security controls present in traditional office settings. This means that devices containing sensitive information are at greater risk of theft or loss. To mitigate these risks, an effective security policy should include suggestions for protecting work devices in the home. It should also provide guidelines for securing devices, such as ensuring end-to-end encryption and remote wiping capabilities, among other remote management features.

The absence of a well-defined security policy can lead to inconsistent or lax security practices among remote workers. Without clear guidelines, people may follow varying procedures for handling sensitive information, increasing the likelihood of security gaps. Standardized security protocols are essential to ensure that all remote workers adhere to the same high standards of data protection.

Remediating any security gaps identified

If your organization conducted a HIPAA security and HITECH risk assessment in the last two to three years, then it is time to re-evaluate how much progress was made and re-assess. In theory, your organization addressed the security gaps identified during that assessment, as doing so in a timely manner is important. It reduces actual cybersecurity risks from known vulnerabilities and exploits. Conversely, failing to do so can significantly increase the likelihood of data breaches.

Equally concerning is the potential for non-compliance with regulatory standards. HIPAA and HITECH set forth stringent requirements for the protection of ePHI. Neglecting to address identified IT gaps can result in non-compliance, inviting audits, fines and legal action, which can be financially crippling and damage your organization's credibility.

A final compelling consideration is the fact that the cost of reactive measures far outweighs that of proactive prevention. Addressing security incidents after they occur involves not only financial expenses, but also significant time and resources diverted from core business activities. Proactively implementing the necessary security protocols and measures identified in IT assessments is a crucial investment in safeguarding your organization's future stability and success.

Of course, this is easier said than done for organizations that have an IT function with limited resources that are already stretched thin ensuring operational continuity. Those organizations can seek assistance in managing remediation projects from IT professionals outside the organization who have relevant expertise and experience.