The Risk of Sampling Care Delivery Locations for Your HIPAA SRA

The HIPAA Security Rule requires that Covered Entities and participating Business Associates perform an annual Security Risk Assessment (SRA) to demonstrate that they are taking steps to safeguard Protected Health Information (PHI).    

While conducting an SRA is a straightforward idea, how this applies to larger organizations with multiple care delivery locations can become challenging and expensive, which is why many entities turn to sampling to alleviate the SRA burden. 

Read on to learn the risks of sampling and other challenges that arise when large hospitals and health systems conduct their SRA. 

Exploring an SRA Challenge: M&A Growth 

Many healthcare organizations grow and change continuously by merging with other systems or acquiring operations (M&A). One prominent example of this is when two hospital systems merge into one corporate structure; another example is when a medical specialty practice (say orthopedics) decides to grow horizontally by acquiring multiple practices of the same specialty across a wider geographic area.   

In healthcare, we use the term Integrated Delivery Network (IDN) to describe an integrated health system meant to serve a patient’s total health needs with a hospital at the center combined with many pre-acute and post-acute facilities including ambulatory care, imaging, diagnostic facilities, urgent care, home care, hospice, etc. 

The Implication of M&A on the Security Risk Assessment Structure 

A healthcare organization that has grown through M&A has a corporate structure composed of numerous individual companies, even if they are wholly owned by one parent.  Each one of these individual companies has an individual tax identity, files for federal medical incentives separately (MIPS/MACRA), and files a separate tax return.  Because each individual company files for federal incentives, it also is required to file an individual HIPAA Security Risk Assessment (SRA). 

As a result, this HIPAA regulation could cause a mid-sized health system with owned physician practices and locations to produce and file 100 separate HIPAA Security Risk Assessments!   

 Nationwide medical specialty groups, even those with hybrid corporate/franchise structures, face the same issue.  Because a HIPAA SRA requires the risk assessment of technical, physical, and administrative controls, the number of different combinations and local circumstances that need to be covered can quickly grow to very large numbers.   

When you add to this that many HIPAA SRAs are performed with manual assessment services, the amount of time and resources needed to properly cover all locations can quickly become too costly to be feasible.  The HIPAA rule also requires that each entity that completes an SRA continuously updates the remediation status of security gaps that are addressed so that the entity’s current security posture is up to date. 

Why Healthcare Organizations Turn to Sampling

Healthcare organizations in this situation will often choose to address the cost problem by sampling a portion of their locations.   

As an example, if an IDN had 100 physician-owned practices, it may choose to perform a HIPAA SRA for 10% of its practices.  In our work with clients (before they start working with us), we see this challenge all of the time. 

While sampling practices are an expedient way to conserve resources, they leave a system exposed to more liability than it needs to be.  If one of the unsampled practices is hacked or has a patient data leak, the liability faced by the health system will be comparable to a system that had no SRA completed!    

This can have serious consequences.  Hackers and data thieves do not cooperate; they get in and access wherever they can.  Sampling is a risky strategy when trying to manage cybersecurity risk – stay tuned for information on how to eliminate it!