HIPAA Compliance Review Program Launch

HIPAA Compliance

The Centers for Medicare & Medicaid Services (CMS) Division of National Standards, on behalf of the Department of Health and Human Services (HHS), is launching the HIPAA Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.

In April 2019, HHS will randomly select 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for HIPAA Compliance Reviews. Any health plan or clearinghouse—not just those who work with Medicare or Medicaid—may be selected. In 2018, HHS piloted the program with health plan and clearinghouse volunteers to streamline the process. In 2019, providers will be able to participate in a separate pilot program on a voluntary basis.

Moving forward, the Compliance Review Program will conduct periodic reviews with randomly selected entities to assess compliance.

Read the full Information Bulletin on the Go-to-Info page for more information, and watch for more Email Update messages with details about the program.

Interested in becoming HIPAA Compliant? We can help maintain your business posture. Check out our HIPAA Compliance service offerings Contact us at 866-276-8309 or info@ehr20.com with any questions.

CMS on behalf of HHS is launching a HIPAA Compliance Review Program to ensure compliance with the administrative safegaurds by covered entities.

Does my healthcare practice need to be HIPAA/HITECH certified?

cybersecurity-awareness images

We mentioned earlier in one of our blog posts that we would get back to you about the HIPAA/HITECH “Certification” question that lot of  the healthcare practices are asking about …  Certification by a third-party is not required for Covered Entities and Business Associates unlike PCI or ISO certification requirements. HIPAA/HITECH “certification” is not mandated in any way and no one is authorized to provide HIPAA/HITECH certification per se. Rather Covered Entities and Business Associates need to be in compliant with the new omnibus HIPAA Privacy, Security and Breach Notification rules. This is very clearly stated in HHS website: “A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.” If you want to learn more about HHS’s position on getting HIPAA certification please go through the following links:

http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html

http://www.techrepublic.com/article/industry-insiders-say-dont-bother-with-hipaa-certs/

The above discussion clearly concludes there’s no single certifying authority on HIPAA/HITECH rules. The assessment of HIPAA rules in your practice and implementation of required remediation could be technically performed by anyone (with no prior qualification). However, the purpose and intent of evaluation is two fold:

1) To genuinely secure patient data and implement required processes in place to avoid legal issues

2) To handle HHS Office for Civil Rights(OCR) audit request

In order to handle this HIPAA conundrum, we recommend at least conducting the initial HIPAA/HITECH assessment against the new rules by an externally qualified organization. Use the same methodologies and processes used by the external organization to conduct your periodic assessment for subsequent annual assessments. In addition, if there’re any major scope change in terms of your IT infrastructure, vendor upgrade or new business introduction have the assessment done by an external organization.

Only experience and industry knowledge will help apply the for your practice successfully.

There are quite a few organizations providing training and certification to acquire HIPAA expertise.  Firms can benefit from their workers completing one or more of the established credentials, including:

1) Healthcare Information Security and Privacy Practiioner  by ISC2 https://www.isc2.org/HCISPP/Default.aspx

2) AHIMA certification page (https://www.ahima.org/certification-careers/get-certified/),

3) CompTIA – (http://certification.comptia.org/getCertified/certifications/hittech.aspx).

No matter how you do your assessment, at least ensure the following 3 aspects of your HIPAA/HITECH rules::

1) Conducting a thorough security risk assessment of all your technological assets

2) Updating your information security policy document

3) Providing awareness training to your staff

$800,000 HIPAA Settlement in Medical Records Dumping Case

Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).  Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program.  Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule.  In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

As a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

“All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heide, acting deputy director of health information privacy at OCR.  “It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”

Parkview cooperated with OCR throughout its investigation. In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

To learn more about EHR 2.0 HIPAA Privacy, Security and Breach notification requirements, visit our service page:

http://ehr20.com/services/hipaa-hitech-compliance-assurance/

 

The Resolution Agreement can be found here:

Parkview HIPAA Settlement – Resolution Agreement from EHR 2.0

HIPAA compliance toolkit by HHS for Healthcare providers

data analysis free tools

A new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations is now available from HHS. The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application, available for downloading at www.HealthIT.gov/security-risk-assessment also produces a report that can be provided to auditors.

HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems.  Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.

Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program.

“Protecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations,” said Karen DeSalvo, M.D., national coordinator for health information technology. “The SRA tool and its additional resources have been designed to help health care providers conduct a risk assessment to support better security for patient health data.”

“We are pleased to have collaborated with the ONC on this project,” said Susan McAndrew, deputy director of OCR’s Division of Health Information Privacy. “We believe this tool will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA Security Rule.”

The SRA tool’s website contains a User Guide and Tutorial video to help providers begin using the tool. Videos on risk analysis and contingency planning are available at the website to provide further context.

The tool is available for both Windows operating systems and iOS iPads. Download the Windows version athttp://www.HealthIT.gov/security-risk-assessment. The iOS iPad version is available from the Apple App Store (search under “HHS SRA tool”).

The ONC is committed to improving the SRA tool in future update cycles, and is requesting that users provide feedback.  Public comments on the SRA tool will be accepted at http://www.HealthIT.gov/security-risk-assessment until June 2, 2014.

10 Myths and Facts about HIPAA and Meaningful Security Risk Analysis

Conducting  a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. The following areas addresses some of the common myths about conducting a risk analysis, and provides facts and tips that can help you structure your risk analysis process.

 

Myth 1: The security risk analysis is optional for small providers

Fact: False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

Myth 2:  Simply installing a certified EHR fulfills the security risk analysis MU requirement

Fact: 

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Myth 3: My EHR vendor took care of everything I need to do about privacy and security

Fact:  False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

Myth 4:  I have to outsource the security risk analysis

Fact: False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Myth 5:  A checklist will suffice for the risk analysis requirement

Fact: False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Myth 6:  There is a specific risk analysis method that I must follow

Fact:  False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

Myth 7:  My security risk analysis only needs to look at my EHR

Fact:  False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.  Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

Myth 8:  I only need to do a risk analysis once

Fact:  False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Myth 9:  Before I attest for an EHR incentive program, I must fully mitigate all risks

Fact: False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) according to the timeline established in the provider’s risk management process, not the date the provider chooses to submit meaningful use attestation. The timeline needs to meet the requirements under 45 CFR 164.308(a)(1), including the requirement to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [45 CFR ]§164.306(a).”

Myth 10:  Each year, I’ll have to completely redo my security risk analysis

Fact:  False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of  participation in the program.

Source: CMS