Practice Types

Security Risk Analysis in a Critical Access Hospital: Small Staff, Full Scope

A Critical Access Hospital has 25 beds or fewer and the compliance surface of a hospital. HIPAA's scalability provision is real, and it is narrower than it is usually quoted: it lets a small hospital choose simpler security measures. It does not shrink the scope of the risk analysis, and it does not soften the standard the analysis is judged against. The CAH problem is the gap between a clinic-sized staff and a hospital-sized estate.

The short answer

Being small changes how a CAH implements controls. It does not change what has to be assessed. The rule attaches to the information, and a CAH holds ePHI in an inpatient unit, an emergency department that runs around the clock, a lab, an imaging suite, a pharmacy, and a biomedical estate, usually with one or two people covering all of it. Everything below follows from that.

What a CAH is, in CMS's terms

CAHs are a separate Medicare provider type with their own Conditions of Participation at 42 CFR Part 485 subpart F. To be designated by CMS as a CAH, a Medicare-participating hospital must, among other criteria:

  • Be located in a rural area or an area treated as rural, in a State with a Medicare Rural Hospital Flexibility Program, and be designated by the State as a CAH
  • Be located either more than 35 miles from the nearest hospital or CAH, or more than 15 miles in areas with mountainous terrain or only secondary roads (or hold a pre-2006 “necessary provider” designation)
  • Maintain no more than 25 inpatient beds that can be used for either inpatient or swing-bed services
  • Maintain an annual average length of stay of 96 hours or less per patient for acute inpatient care, excluding swing-bed services and distinct part unit beds
  • Furnish 24-hour emergency care services 7 days a week, and demonstrate compliance with the CAH Conditions of Participation

A CAH may also operate a psychiatric or rehabilitation distinct part unit of up to 10 beds each, and may be granted swing-bed approval to provide post-hospital skilled nursing care in its inpatient beds.

Read that list as a description of an IT estate rather than a payment category. Inpatients overnight. An emergency department at 3 a.m. Swing beds. Possibly a 10-bed psych unit. The nearest other hospital is 35 miles away, which is the entire point of the designation and also the reason downtime is not an inconvenience here.

The mismatch that causes the trouble

The recurring difficulty at a CAH is not sophistication. It is arithmetic.

A 12-provider clinic with 40 staff and a CAH with 40 staff have similar headcount and almost nothing else in common. The clinic runs an EHR, a practice management system, and some email. The CAH runs those plus a lab information system, imaging and PACS, a pharmacy system, telemetry, an emergency department workflow, dietary, materials management, swing-bed documentation, and a pile of connected medical equipment. It does all of it continuously, because it does not close.

So the CAH inherits a hospital's assessment scope and a clinic's capacity to perform it. That is a real constraint and it deserves a plain answer rather than a lecture. The plain answer is that the constraint changes the method and the sequencing. It does not change what is in scope.

What flexibility of approach does and does not do

The provision everyone reaches for is 45 CFR 164.306(b), and it is worth quoting rather than paraphrasing:

§ 164.306(b) Flexibility of approach. “Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.” In deciding which security measures to use, the entity must take into account “the size, complexity, and capabilities” of the entity; its “technical infrastructure, hardware, and software security capabilities”; “the costs of security measures”; and “the probability and criticality of potential risks to electronic protected health information.”

Notice what the sentence is about. It is about which security measures to use. A CAH can reasonably conclude that a full-time security operations center is not appropriate to its size and cost profile, and reach the same standard with different controls. That is the provision working as designed.

What the provision does not touch is the scope of the analysis. That comes from a different sentence:

§ 164.308(a)(1)(ii)(A) Risk analysis (Required). “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

There is no size qualifier in it. OCR's Guidance on Risk Analysis says the scope covers “all e-PHI that an organization creates, receives, maintains, or transmits” and that the analysis “should take into account all of its e-PHI, regardless of the particular electronic medium... or the source or location of its e-PHI.” The same guidance does acknowledge scale, and it is careful about where: it notes that small organizations tend to have more control within their environment and fewer variables, so the appropriate security measures may differ from those appropriate in large organizations. Again the scaling lands on the measures.

The distinction is worth holding onto because it cuts both ways. A CAH is not expected to buy what an academic medical center buys. A CAH is expected to know where its ePHI is.

The estate a 25-bed hospital runs

OCR's guidance requires, as a data collection step, that “an organization must identify where the e-PHI is stored, received, maintained or transmitted.” ONC's overview material for the federal assessment tool puts the practical version of it bluntly: “Regarding applications, be sure to look beyond just the EHR system,” and “ensure an inclusive scope.”

At a CAH the list past the EHR usually runs longer than expected:

AreaCommonly missed
Emergency departmentShared terminals, triage tablets, transfer paperwork to the receiving hospital 35 miles away
LaboratoryThe LIS, analyzer interfaces, and reference-lab result feeds
ImagingPACS, modality workstations, and portable units that cache studies on local storage
PharmacyDispensing cabinets and the pharmacy system, often vendor-managed
BiomedicalMonitors, pumps, and carts that store or transmit patient data and answer to clinical engineering or a contract, not to IT
Swing beds and distinct part unitsLong-stay documentation, sometimes in a separate application
Back officeBilling, transcription, fax servers, scanning of prior paper records, the shared drive nobody has audited
Clinics under the CAHProvider-based rural health clinics operating under the hospital's number, sometimes on their own systems

That last row is the one that most often gets missed. If the CAH operates provider-based clinics, their ePHI is held by the same covered entity, and it is in scope for the same analysis.

Physical safeguards in a building that never closes

45 CFR 164.310 sets four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. They are the standards a 24/7 rural hospital has the most trouble with, for reasons that have nothing to do with competence.

§ 164.310(b) Standard: Workstation use. “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

The physical attributes of the surroundings. In a CAH the surroundings are a small building where the registration desk, the ED, and the nurses' station may be within sight of one another and of the waiting room, where the night shift is two people, and where the badge reader on the server closet was installed in 2009 and the list of who can open it has never been pruned.

Facility access controls at 164.310(a) include maintenance records at 164.310(a)(2)(iv), which asks for documentation of repairs and modifications to physical components of a facility related to security, giving “hardware, walls, doors, and locks” as the regulation's own examples. All four facility access specifications are Addressable, which under 45 CFR 164.306(d)(3) means implement it if reasonable and appropriate, or document why not and implement an equivalent alternative measure where one is reasonable and appropriate. Addressable is a decision you write down. It is not a skip.

None of this is discoverable from a form. A questionnaire asks whether workstations are positioned to prevent unauthorized viewing, and someone types yes, and the answer is given in good faith by a person who has stopped seeing the room they work in every day. Somebody standing at the registration desk at shift change learns something different in five minutes. The distinction between an answer and an observation is the practical core of the physical safeguards, and it is why an analysis of 164.310 that never involved anyone walking the building is an analysis of the policy, not of the facility.

Who evaluates the person who wrote the policy

Alongside the risk analysis sits the Evaluation standard, and it names both halves of the job:

§ 164.308(a)(8) Standard: Evaluation. “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.”

OCR's guidance explains what the nontechnical half covers: vulnerabilities group into technical and non-technical, and “non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.”

At a CAH the security official under 164.308(a)(2) is frequently the IT director, and frequently also the person who wrote the policies, configured the systems, and will fill in the assessment. That is not a criticism of the individual. It is a structural observation: self-evaluation is the weakest form of evaluation available, and it gets weaker as the number of people who could contradict you goes to zero. Nothing in the rule prohibits it. It is simply worth being clear-eyed that an analysis performed, reviewed, and approved by one person has no independent check in it, and deciding deliberately whether that is acceptable for a given year.

The free federal tool, and its own caveat

ONC and OCR publish a free Security Risk Assessment Tool, and it is a reasonable starting structure for a small organization. Its documentation is candid about where it fits:

SRA Tool v3.6 User Guide, page 4. “The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.”

A CAH sits right on that line, which makes it a judgment rather than a rule. The guide's FAQ softens it usefully: the tool “was designed with small to medium sized practices in mind, but the content is still applicable to practices of all sizes,” while “large organizations may find other methods more suitable to conducting an SRA.”

Two further lines from the same guide are the ones worth pinning to the wall. First, “use of this tool is neither required by nor guarantees compliance with federal, state or local laws.” Second, and more useful: “this is only a tool to assist an organization with its review and documentation of its risk assessment, and therefore it is only as useful as the work that goes into performing and recording the risk assessment process.” The disclaimer also encourages “providers, and professionals to seek expert advice when evaluating the use of this tool.”

That is the government describing its own questionnaire as a container for work performed elsewhere. Completing it is not the assessment. The walking, the asking, and the looking are the assessment, and the tool is where the results get written down.

A practical shape for a CAH analysis

Given the constraint, a defensible CAH analysis tends to look like this:

  • Build the inventory first, and build it by walking. Ask each department head what holds patient data, then go and look, because the answer and the reality diverge most in the departments that were never asked. Clinical engineering usually holds a list IT has never seen.
  • Scope in the provider-based clinics and the distinct part unit explicitly, or state in the scope section why they are excluded. An unstated exclusion reads as an oversight later.
  • Do the physical walk once, properly, with someone writing things down. The 164.310 standards are the cheapest part of the rule to assess and the easiest to skip.
  • Get one set of eyes that did not build the environment onto the nontechnical half. That can be a peer from another facility, a state Flex Program resource, or outside help. The value is in the independence, not the invoice.
  • Write down what you did not do and why. A scope statement with honest boundaries is more defensible than one that implies total coverage it never had.

On timing, OCR's guidance is direct: “The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process.” The triggers the rule supplies are change-based, under 164.306(e) and 164.316(b)(2)(iii): a new system, a new service line, turnover in the person who knew how everything worked, or an incident. Many organizations also review annually as a backstop, which is sensible practice rather than a federal deadline.

One forward-looking note. Updates to the Security Rule have been proposed and have not been finalized. Proposed requirements are not binding, and nothing in this article depends on them. Everything above is current law today.

Common questions

Does a Critical Access Hospital get a smaller HIPAA risk analysis because it is small?

No. 45 CFR 164.306(b), the flexibility of approach provision, lets a covered entity use any security measures that reasonably and appropriately implement the standards, taking into account its size, complexity, and capabilities, its technical infrastructure, the costs of security measures, and the probability and criticality of potential risks to ePHI. That flexibility governs which security measures you choose. It does not shrink the scope of the analysis and it does not lower the standard at 45 CFR 164.308(a)(1)(ii)(A), which requires an accurate and thorough assessment of risks to the ePHI the organization holds. A 25-bed hospital may reasonably land on simpler controls than a 300-bed hospital. It still has to have looked at everything it holds.

Is a Critical Access Hospital a small practice for HIPAA purposes?

HIPAA does not use either category. The Security Rule applies to covered entities and business associates and scales by the factors at 45 CFR 164.306(b), not by a provider designation. The distinction matters practically because a CAH looks nothing like a clinic of comparable headcount. Under CMS criteria a CAH maintains no more than 25 inpatient beds, maintains an annual average length of stay of 96 hours or less for acute inpatient care, and must furnish 24-hour emergency care services 7 days a week. Inpatients, a 24/7 emergency department, a lab, imaging, a pharmacy, and often swing beds all generate ePHI in systems a clinic does not operate. The staff is small. The estate is not.

Can a Critical Access Hospital use the free federal SRA Tool?

It can, and the tool's own documentation is worth reading first. The SRA Tool v3.6 User Guide states that the target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations, and its FAQ notes that large organizations may find other methods more suitable to conducting an SRA. A CAH sits near that boundary, which is a judgment call rather than a rule. The same guide states that use of this tool is neither required by nor guarantees compliance with federal, state or local laws, and that it is only as useful as the work that goes into performing and recording the risk assessment process. It also encourages providers and professionals to seek expert advice when evaluating the use of this tool.

Who performs the risk analysis when the CAH has one IT person?

The Security Rule does not require an outside firm, and it does not require a dedicated security team. 45 CFR 164.308(a)(2) requires the organization to identify a security official responsible for the development and implementation of its required policies and procedures, and that role can be held alongside other duties. Two structural problems tend to appear at CAH scale regardless of who holds the title. The first is that 45 CFR 164.308(a)(8) requires a periodic technical and nontechnical evaluation, and the person who wrote the policies is poorly placed to evaluate whether they are followed. The second is capacity: a single administrator who keeps the hospital running has limited time to walk a 24/7 campus and inventory a biomedical estate. Neither problem is solved by the size of the organization, and both are reasons a CAH may choose outside help for part of the work while keeping the security official role internal.