Eye on Ethics: How to Conduct Confidentiality Risk Assessments
By now, social workers are generally familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which provides strict data privacy and security provisions to safeguard protected health information (PHI). Beyond the well-known HIPAA basics, however, are myriad—and vitally important—details that are less familiar to many social workers.
For example, there is the risk analysis requirement related to electronic records, which are now prevalent in social work settings. According to HIPAA, organizations (covered entities) that fall under HIPAA must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
Risk management is the process used to identify and implement security measures to reduce risk to a reasonable and appropriate level within the covered entity based on the organization’s circumstances.
Elements of a Risk Analysis and Assessment
Conducting a security risk analysis is consistent with standard 1.07(m) in the NASW Code of Ethics, which was added in 2017 to address complex technology-related issues that have emerged in recent years: “Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.”
Conducting a risk analysis is also consistent with provisions in Standards for Technology in Social Work Practice (2017), which was jointly adopted by NASW, the Association of Social Work Boards, the Council on Social Work Education, and the Clinical Social Work Association.
Experts advise that organizations and practitioners that undertake a risk analysis and assessment ask several key questions, including the following:
• Have you identified the electronic (e-PHI) within your organization? This includes e-PHI that you create, receive, maintain, or transmit.
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain, or transmit e-PHI?
• What are the human, natural, and environmental threats to information systems that contain e-PHI?
Organizations can use the results of their security risk assessment to design appropriate personnel screening processes, identify what data to back up and how, decide whether and how to use encryption, address what data must be authenticated in particular situations to protect data integrity, and determine the appropriate manner of protecting health information transmissions.
According to NIST, risks to be aware of include unauthorized (malicious or accidental) disclosure, modification, or destruction of PHI; unintentional errors and omissions; disruptions to information technology due to natural or human-made disasters; and failure to exercise due care and diligence in the implementation and operation of the agency’s information technology system.
Ideally, a comprehensive security risk assessment focuses on two key issues: vulnerability and threat. According to NIST, vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. Vulnerabilities may be grouped into two general categories: nontechnical and technical. Nontechnical vulnerabilities may include ineffective or nonexistent policies, procedures, standards, or guidelines to protect e-PHI. Technical vulnerabilities may include holes, flaws, or weaknesses in the development of information systems or incorrectly implemented and/or configured information systems.
NIST further states that e-PHI threats entail the potential for a person or some external entity to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories, which can occur in health and human service agencies, include the following:
• Natural threats such as floods, earthquakes, tornadoes, and landslides.
• Threats that are enabled or caused by humans, including intentional (eg, network and computer-based attacks, malicious software upload, and unauthorized access to e-PHI) and unintentional (eg, inadvertent data entry or deletion and inaccurate data entry) actions.
• Environmental threats such as power failures, pollution, chemical spills, and liquid leakage.
A Risk Assessment Protocol
Key steps involve the following:
Collect data. An organization should identify where its e-PHI is stored, received, maintained, and transmitted. An organization could gather relevant data by reviewing past and/or existing projects, performing interviews, reviewing documentation, or using other data gathering techniques.
Identify and document potential threats and vulnerabilities. Organizations should identify and document reasonably anticipated threats to e-PHI. Organizations should also identify and document vulnerabilities that, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.
Assess current security measures. Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the HIPAA Security Rule are already in place, and whether current security measures are configured and used properly.
Determine the likelihood of threat occurrence. HIPAA requires organizations to consider the probability of potential risks to e-PHI. The results of this assessment, combined with the initial list of threats, will influence the determination of the threats HIPAA requires protection against because they are “reasonably anticipated.”
Determine the potential impact of threat occurrences. HIPAA also requires consideration of the impact of potential risks to confidentiality, integrity, and availability of e-PHI. An organization must assess the magnitude resulting from a threat triggering or exploiting a specific vulnerability.
Determine the level of risk. Organizations should assign risk levels for all threats and vulnerabilities identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and its resulting impact.
Periodic review and updates. The security risk analysis process should be ongoing. For an entity to update and document its security measures “as needed,” as HIPAA requires, it should conduct continuous risk analysis to identify when updates are required. The HIPAA Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency will vary among organizations (eg, annual, biannual, or every three years) depending on circumstances.
Social workers have always understood the critical importance of client privacy and confidentiality, especially as it relates to protecting client records. When many social workers started their careers, electronic records did not exist. Today, they are the norm.
The advent of HIPAA raised social workers’ legal obligations to a new level. In addition to understanding the law’s broad requirements, social workers should drill more deeply to fully understand its lesser-known provisions regarding privacy and confidentiality risk assessments.
— Frederic G. Reamer, PhD, is a professor in the graduate program of the School of Social Work at Rhode Island College. He is the author of many books and articles, and his research has addressed mental health, health care, criminal justice, and professional ethics.