Senior Living Alert: HIPAA Security Rule Compliance for Senior Living Facilities

July 26, 2024

The U.S. Cybersecurity & Infrastructure Security Agency has deemed healthcare entities “target rich, cyber poor,” meaning they have copious amounts of consumer and patient data but often do not have the cybersecurity means to protect these data. With a recent uptick in the number of events targeting healthcare providers across the care spectrum, state and federal regulators expect companies to be prepared for such events. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) increased its enforcement efforts against organizations that suffered data breaches, and there are plaintiffs’ actions against entities at the state level seeking to recover damages for such incidents.

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) imposes a minimum level of security standards by requiring Covered Entities and their Business Associates to implement policies and procedures to prevent, detect, contain and correct security violations. HIPAA Covered Entities must, at least, follow the HIPAA Security Rule, which requires Covered Entities to “periodically” perform a security risk assessment (SRA), adapted to the size and sophistication of the entity. While the general approach is to perform one annually, some organizations may do so every two or three years.

Is Your Senior Living Facility a HIPAA Covered Entity?

HIPAA Covered Entities include health plans, healthcare clearinghouses or healthcare providers that transmit health information electronically in conjunction with certain healthcare transactions, such as submitting claims to payors. The definition of “healthcare provider” is broad and includes any provider of medical or other services that is paid for such services in the normal course of business. Most long-term care and post-acute care and many assisted living facilities fall within this definition. Independent living facilities that have an on-site medical facility that bills third-party payers, such as Medicare or Medicare supplemental plans, also will likely be a HIPAA Covered Entity.

What Is a Security Risk Assessment?

An organization undertaking a risk assessment must thoroughly evaluate the risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). Larger entities with resources may engage a third party to perform the assessment. Small and medium entities may consider using the SRA tool developed by the Office of the National Coordinator for Health Information Technology and OCR, available on the HealthIT.gov website.

After completing a security risk assessment, entities must implement security measures sufficient to reduce the risks and vulnerabilities identified to a reasonable and appropriate level. Risk mitigation is an ongoing effort, and organizations should develop a living risk-management plan based on the results of each assessment, adapting the plan as risks change throughout the organization’s life cycle. If an organization fails to perform a risk assessment and/or implement security measures and suffers a breach of ePHI, it may be subject to increased scrutiny and fines.

Tips for Performing an SRA

While the frequency of performing a risk assessment should be based on the Covered Entity’s internal policies and procedures, organizations should consider performing one at least annually. OCR suggests organizations ask the following questions to identify potential security risks:

  • What type of ePHI does your organization create, receive, maintain or transmit, and where does it reside? Understanding the data map and how data flows within the organization is critical for identifying potential vulnerabilities and risks.
  • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI? As an organization builds relationships with outside users, leverage those relationships to ensure ePHI is transmitted safely.
  • What are the human, natural and environmental threats to information systems that contain ePHI? After identifying the threats to the ePHI an organization stores or transmits, address and resolve them.

Using the SRA tool helps organizations identify risks, document those risks in one central location and evaluate how risks change as the organization grows between SRAs. The SRA tool also provides a road map for documentation of necessary security measures to address identified risks and vulnerabilities as they change over time. 

Smaller senior living facilities that also are HIPAA Covered Entities are not exempt from the HIPAA Security Rule. OCR has demonstrated its willingness to hold smaller organizations accountable for breaches of PHI if they have not implemented appropriate security standards, including the use of an SRA.

For questions about SRAs and HIPAA compliance for senior living facilities, contact one of the authors.

Subscribe