Conduct a Security Analysis for Your Practice
The first step to ensuring your patients’ ePHI is secure is assessing your office’s HIPAA compliance.
By Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB
Prior to the HIPAA Security Rule, a generally accepted set of security standards to govern electronic protected health information (ePHI) didn’t exist. Today, all covered entities, including small health plans, are required to comply with the Security Rule. To ensure compliance with HIPAA security standards, start by assessing how ePHI is handled in your practice.
HIPAA Security Rule Risk Assessment
One major difference between the HIPAA Privacy Rule and the Security Rule is that the Security Rule applies only to ePHI, which includes information that is created, received, maintained, transmitted (e.g., over the Internet), or stored electronically on a computer hard drive or removable disk. The Security Rule does not cover PHI stored on paper or communicated verbally.
The Security Rule requires covered entities (including physician practices) to have in place appropriate administrative, technical, and physical safeguards to protect ePHI against intentional or unintentional use or disclosure.
Meaningful Use Security Assessment
Physician practices are also faced with ensuring ePHI security if participating in either the Medicare or Medicaid Electronic Health Records (EHR) Incentive Program. The meaningful use core objective to which I refer requires participating practices to secure ePHI created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. As part of its risk management process, an organization must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates, as necessary, and correct any identified security deficiencies.
The meaningful use requirements are not intended to supersede or substitute compliance required under HIPAA. As a covered entity, you’re still required to comply with the HIPAA Privacy and Security Rules. The section of the Code of Federal Regulations cited in the meaningful use core objective refers back to the HIPAA regulations.
The question then becomes: What action is required to adequately comply with both the HIPAA Security Rule and the meaningful use requirements associated with EHR incentive payments?
In a nutshell: If you are in compliance with the HIPAA Security Rule, you should be able to attest to meeting the meaningful use core objective for security of ePHI.
Risk Assessment Requirements
The Security Rule has detailed instructions for implementing safeguard standards. Each standard may be either required or addressable. (Table 1 shows some of the administrative safeguards standard, with the implementation specifications noted as either (R) Required or (A) Addressable).
When a standard is addressable, your practice must assess whether it’s a reasonable and appropriate safeguard in your environment. This involves analyzing the specification in regards to the likelihood of protecting your ePHI from reasonably anticipated threats and hazards. If your practice chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.
Two required standards in the administrative safeguard section are: (1) conduct a risk analysis; and (2) implement a risk management plan. Together, these two standards form the foundation upon which you build necessary security protections.
A risk assessment helps organizations ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards. The required risk analysis and risk management implementation specifications serve as the foundation for your practice’s overall HIPAA compliance program.
- Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
- Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply.
The Office of Civil Rights (OCR) has published extensive reports, guides, and tools to help organizations of all sizes comply with the HIPAA Security Rule. They are available on the U.S. Department of Health & Human Services website.
In addition, the Health IT website provides an interactive tool any organization may use to complete a security risk assessment. Although the tool allows the information to be entered online, you may find it easier to download the requirements.
While on the Health IT website, be sure to download a copy of Guide to Privacy and Security of Health Information (www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf). This guide provides an excellent overview of what is required for both the Privacy and Security Rules.
The Cost of Noncompliance
Neither the Security Rule nor meaningful use mandates for physician practices to use a particular tool. The HIPAA Security Rule is clear that the standards are scalable and flexible; however, the penalties for noncompliance are substantial.
Under HIPAA, penalties start at $100, per violation, and can grow to an annual maximum fine of $1.5 million, contingent on the type of the violation and whether the violator acted unknowingly or deliberately. Another factor in the penalty calculation is whether the violator became aware of the violation and implemented corrective action in a timely manner. The penalty under meaningful use is a total payback of any incentive funds received through the program.
Take That First Step to Compliance
Your practice is ultimately responsible for conducting a risk assessment. Although the task may appear overwhelming, it’s obtainable. To tackle it, appoint a team that includes your practice administrator, a physician representative, and one or two staff members (perhaps the billing manager or front desk person). Set aside an hour or two each week to go through the administrative, technical, and physical standards and implementation specifications. Before you know it, the risk assessment will be completed.
Unfortunately, this task is not a “once and done” requirement. Provisions in both meaningful use and the Security Rule require you to perform reviews at least annually, and whenever there has been a change in your practice. Changes that may affect the security assessment and require an update include implementing new technology that accesses PHI, entering into a joint venture or merger with another practice, and moving to a new facility.
Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB, has 35 years of healthcare finance, operations, and compliance experience. A national speaker and author, her unique style is to bridge the regulatory requirements with the practical realities of day-to-day operations. Derricks has provided numerous expert reports and testimony regarding Medicare, Medicaid, and third-party payer regulations with an emphasis on coding, billing, and reimbursement rules. She serves as the vice president, regulatory affairs at Anesthesia Business Consultants, and is a member of the Ann Arbor, Michigan, local chapter.