[BreachExchange] 5 HIPAA Items that Practices Should Focus on in 2017
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Mar 9 19:33:31 EST 2017
http://www.hitechanswers.net/5-hipaa-items-that-practices-
should-focus-on-in-2017/
With all the recent turbulence in healthcare surrounding Meaningful Use,
ICD-10 and now the transition to the Merit-based Incentive Payment System,
HIPAA has flown under the radar, in a sense, for some practices. However,
in 2017 it’s important that practices make HIPAA compliance a priority.
Here are five things we covered in a recent webinar on what all practices
should focus on in regards to HIPAA compliance in 2017.
1. The recent focus of HIPAA audits by the HHS Office for Civil Rights
According to HHS, “HIPAA established important national standards for the
privacy and security of protected health information and the Health
Information Technology for Economic and Clinical Health Act (HITECH)
established breach notification requirements to provide greater
transparency for individuals whose information may be at risk.”
As an extension of the HITECH Act, the audit mandate exposed health care
providers that must adhere to HIPAA regulations to the possibility of being
audited for compliance, security and breach notifications.
The second round of HIPAA audits will measure the degree to which not only
practices but also covered entities such as health care providers and
insurance companies, in addition to their business partners and associates
are in compliance with HIPAA rules and regulations.
The recent focus of HIPAA audits by the HHS Office for Civil Rights means
your practice can no longer approach HIPAA as a “binder on the shelf.”
The Role of Meaningful Use in HIPAA Compliance
Meaningful Use and HIPAA are closely tied together. If you participated in
Meaningful Use, you had to check a box that said you are protecting your
electronic health information. However, many practices assume that by
conducting a security risk assessment, they are prepared for an audit by
HHS Office for Civil Rights.
A Meaningful Use audit usually means two things:
Show us your risk assessment (Core Measure 1)
Show us your Business Associate Agreements
Let’s discuss how each of these pieces of a Meaningful Use audit impacts
your practice’s HIPAA compliance efforts.
Why Conducting a Risk Assessment Isn’t Enough
When you check the box for Meaningful Use that says you did a security risk
assessment, there’s more to it. You simply will not pass an audit by just
checking this box. Here’s why.
This particular Meaningful Use Core Measure states that you must “Protect
electronic health information created or maintained by the certified EHR
technology through the implementation of appropriate technical
capabilities.” The measure goes on to state that practices must also
“conduct or review a security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1) and implement security updates as
necessary and correct identified security deficiencies as part of its risk
management process.”
The part to focus on here is that you must “implement security updates as
necessary and correct identified security deficiencies as part of its risk
management process.”
Just performing a risk assessment isn’t enough. Once your risk assessment
is complete, you need to implement a corrective action plan.
Updated Business Associate Agreements (BAA)
Business Associates are vendors with which you share protected health
information. Examples of business associates would be your outside IT
companies, copier companies with a maintenance agreement, transcription
companies, or a medical billing service provider.
These organizations must have an updated BAA in place considering the
Omnibus final rule went into effect in September 2013. Make sure every BAA
is in place and has been updated with every business associate.
Satisfactory Assurance
Satisfactory Assurance is you gaining satisfactory assurance from your
vendors (that you’ve entered into a Business Associate Agreement with) that
they are capable of protecting the health information you share with them
by being HIPAA compliant. There are a few questions to ask your vendors
regarding this which we’ll talk more about in point #4 of this article.
When can my practice be audited?
So just how long can you expect to be audited for Meaningful Use? Typically
you can face a Meaningful Use audit for up to 6 years. If you have been
audited already, you are probably an early adopter of the Meaningful Use
attestation process.
Keep your documentation organized and ready in the case that you might
receive an audit.
2. The HIPAA Breach Notification Rule
If you are familiar with HIPAA at all, then you probably already know that
a breach or improper disclosure of protected health information needs to be
reported to the HHS Office for Civil Rights.
However, the Breach Notification Rule has changed. The Rule previously
stated that if 500 or more accounts have been improperly disclosed, then
the breach would need to be reported to Health and Human Services.
The Rule now states that every improper disclosure of protected health
information must be reported electronically to HHS Office for Civil Rights
within 60 days of the end of the calendar year in which that improper
disclosure took place.
3. How do I prepare my practice and where do I start with HIPAA Compliance?
Wondering how to get started with 1900 pages of HIPAA rules and
regulations? It doesn’t have to be complicated. Your practice should start
with an organization assessment.
An organization assessment helps you have a better understanding of where
your practice is sharing information with vendors, the technology you’re
using, policies and procedures, and physical attributes of your
organization. It also allows you to take a look at where your information
is, where you’re sharing it, and if there was a breach, it would allow you
to identify that very quickly and easily.
How does an organization assessment differ from a risk assessment?
An organization assessment is a much higher level of looking at HIPAA and
looks at each of the pieces required for HIPAA compliance.
These pieces would include:
Administrative Safe Guards: Policies and procedures, workforce training
Technology: How you are connected, safeguarding that information with
outside vendors, having termination checklists in place so that if someone
is no longer with your organization, you remove them from your EHR or your
network.
Physical Attributes: How are you protecting the physical infrastructure?
Meaningful Use risk assessment is very detailed, comes with a corrective
action plan, and the technology side is much more thorough and goes into
some of the technology pieces that need to be changed.
An organization assessment is a much higher level overview that gives you a
broad picture of where you are today.
4. Documentation
So we have talked a little bit about Business Associate Agreements and
Satisfactory Assurance but the fourth item to focus on is documentation.
Understand that a BAA is a contract between you and another organization
that you’re sharing health information with. Also, understand that there
could be requirements in a BAA that are not being met. It is not just a
standard document so keep in mind that a Business Associate Agreement is,
in fact, a contract.
Another important piece of HIPAA that you need to have documented is the
Satisfactory Assurance from your vendors’ compliance. This means you’ve at
least done your due diligence that your vendors can confirm they can
safeguard and protect the information you are sharing with them.
The Satisfactory Assurances must be documented through a written contract
of other written agreement or arrangement with the business associate.
A few questions to ask your vendors would be:
Have you implemented a risk assessment at your organization?
Do you have an incident response policy (IRP)?
Does your organization carry cyber liability insurance?
Documenting Your HIPAA Compliance Program
Keep in mind that HIPAA is no longer a “binder on the shelf” and your HIPAA
compliance program must be actionable. Make sure your compliance program is
understood, disseminated, and used so employees know what they should and
shouldn’t do.
Your workforce is your first line of defense in safeguarding information
that patients are entrusting you to keep safe.
5. HIPAA Compliance is Required for MACRA
It is vital to understand that HIPAA compliance is not optional, it is
required. HIPAA is required by Health and Human Services, and it is
required for you to participate in MACRA.
Since the Advancing Care Information category under the Merit-based
Incentive Payment System replaces Meaningful Use, you’re still going to see
a Security Risk Analysis as a required measure for your base score.
The Security Risk Analysis measure states that a practice must:
“Conduct or review a security risk analysis in accordance with the
requirements in 45 CFR 164.308(a)(1), including addressing the security (to
include encryption) of ePHI data created or maintained by certified EHR
technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and
45 CFR 164.306(d)(3), and implement security updates as necessary and
correct identified security deficiencies as part of the MIPS eligible
clinician’s risk management process.”
Conclusion
So to conclude, be sure to understand that a risk assessment once a year
doesn’t cover it.
A risk assessment is a snapshot; it is a moment in time. Technology changes
all the time and performing a risk assessment is required at least two
times a year. The first time being to identify the risk and the second time
would be after you remediate those risks. The 2nd risk assessment will help
you determine if those risks were remediated correctly or if they still
exist.
Performing a risk assessment twice a year is the bare minimum. Keep in mind
that if you have a significant change in personnel, that would warrant
another risk assessment or if you adopt a new technology or change
locations, then you should be performing another risk assessment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170309/08b92f6f/attachment.html>
More information about the BreachExchange
mailing list