Does State Plan have the Same Reporting and RecordKeeping Requirements as Federal OSHA?

As of January 1, 2015, establishments located in states under federal OSHA jurisdiction began complying with the new reporting and recordkeeping requirements. By June 1, 2015, establishments located in OSHA-approved State Plans reviewed their current reporting and recordkeeping requirements to determine how they compared to federal OSHA, and began the process of: adopting OSHA's new reporting requirements, retaining their current reporting requirements if they were at least as effective as OSHA's, or adopting more stringent reporting requirements. For more information on a specific State Plan, visit the Office of State Programs' webpage and click on a state or U.S. territory highlighted in blue or gray located on the U.S. map.

Can State Plan Impose Higher Fines and Stricter Penalties than OSHA?

Yes. State Plans have their own penalty reduction policies and procedures that may differ from OSHA's but must be deemed at least as effective. All State Plan policies and procedures related to penalties must be submitted and reviewed by OSHA. State Plans also have their own system for review and appeal of citations, penalties, and abatement periods. The procedures are generally similar to OSHA's, but cases are heard by a state review board or equivalent authority.

How Do I File a Workplace Safety and Health Complaint in a State Plan?

Workers have the right to a safe workplace. The Occupational Safety and Health Act of 1970 (OSH Act) was passed to prevent workers from being killed or seriously harmed at work. The law requires employers to provide their employees with working conditions that are free of known dangers. The OSH Act created the Occupational Safety and Health Administration (OSHA) which sets and enforces protective workplace safety and health standards. To help assure a safe and healthful workplace, OSHA also provides workers with the right to:
  • Ask OSHA to inspect their workplace;
  • Use their rights under the law without retaliation and discrimination;
  • Receive information and training about hazards, methods to prevent harm, and the OSHA standards that apply to their workplace. The training must be in a language you can understand;
  • Get copies of test results done to find hazards in the workplace;
  • Review records of work-related injuries and illnesses;
  • Get copies of their medical records.
In addition, OSHA provides information, training, and assistance to workers and employers. Workers may file a complaint to have OSHA inspect their workplace if they believe that their employer is not following OSHA standards or that there are serious hazards. Contact the OSHA office nearest you by calling OSHA's toll free number: 1-800-321-OSHA (6742) or TTY 1-877-889-5627 if you have questions or want to file a complaint. All information will be kept confidential. For more information, go to OSHA's Workers page.

Who is responsible for paying the on-site HIPAA auditors?

The Department of Health and Human Services is responsible for the on-site auditors. Neither covered entities nor their business associates are responsible for the costs of the audit program.

Will Phase 2 HIPAA audit cover state-specific Privacy and Security Rules in addition to HIPAA’s Privacy, Security, and Breach Notification rules?

No, the scope of the audit program does not extend beyond the Privacy, Security, and Breach Notification Rules.

Will Phase 2 HIPAA audit differ depending on the size and type of participants?

The audit protocols are designed to work with a broad range of covered entities and business associates, but their application may vary depending on the size and complexity of the entity being audited.

How will consumers be affected with Phase 2 HIPAA audit?

The audit program is an important tool to help assure compliance with HIPAA protections, for the benefit of individuals. For example, the audit program may uncover promising practices or reasons health information breaches are occurring and will help OCR create tools for covered entities and business associates to better protect individually identifiable health information. Concerns about compliance identified and corrected through an audit will serve to improve the privacy and security of health records. The technical assistance and promising practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure. During the audit process, OCR will continue to accept complaints from individuals and to launch compliance reviews where warranted;   covered entities and business associates’ compliance obligations remain in full effect.

What happens after Phase 2 HIPAA audit?

Audits are primarily a compliance improvement activity. OCR will review and analyze information from the final reports. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, we will abide by the FOIA regulations.

What is the general timeline for Phase 2 HIPAA audit ?

In the coming months, OCR will notify the selected covered entities in writing through email about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. In addition, the letter will include initial requests for documentation. OCR expects covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request.  All documents are to be in digital form and submitted electronically via the secure online portal.

After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.  Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response.  OCR will share a copy of the final report with the audited entity. While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates. OCR will share a copy of the final report with the audited business associate. Similarly, entities will be notified via email of their selection for an onsite audit. The auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit. Each onsite audit will be conducted over three to five days onsite, depending on the size of the entity. Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.

What if an entity doesn’t respond to OCR’s requests for HIPAA audit ?

If an entity does not respond to requests for information from OCR, including address verification, the pre-screening audit questionnaire and the document request of those selected entities, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

How will the Phase 2 HIPAA audit program work?

OCR plans to conduct desk and onsite audits for both Covered Entities and their Business Associates. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter.  All desk audits in this phase will be completed by the end of December 2016.

The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit. The audit process will employ common audit techniques. Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer in-person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate.  Auditors will review documentation and then develop and share draft findings with the entity.  Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report.  Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings.

How will the selection process work for Phase 2 HIPAA audit?

Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to Covered Entities and Business Associates. As a part of the pre-audit screening questionnaire, OCR is asking that entities identify their business associates. We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request. OCR will conduct a random sample of entities in the audit pool. Selected auditees will then be notified of their participation.

If a Covered Entity or Business Associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

What is the basis for being selected in the Phase 2 HIPAA audit ?

For this phase of the audit program, OCR is identifying pools of Covered Entities and Business Associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees. Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

Who will be audited in HIPAA phase 2 audit ?

Every Covered Entity and Business Associate are eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. OCR expectx Covered Entities and Business Associates to provide the auditors their full cooperation and support.

When will HIPAA phase 2 audits in 2016 will commence?

Phase Two of OCR’s HIPAA audit program is currently underway. OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.  Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov. Click here to view sample e-mail >>

What happens when my Business Associate has some breach incident?

If there is any breach, it is the responsibility of the covered entity to work with their BA and assess the damage. Necessary steps should be taken to resolve it.

Our practice shares patient information with our referral doctors. Should we have a signed BA contract with all our referral doctors?

No. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties.

A software company that my organisation uses is a self certified HIPAA compliant facility. Should I still have a BA contract signed with them?

YES.  Since they are handling your ePHI data, it is a federal regulation to have BA contract with them.

Our practice accepts patients from both private insurance payers and government health plans. Should I have BA contract agreements with these payers and health plan providers?

No, you don’t need to have BA contract with these entities. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties.  However, if you are using any service providers for your claims and processing, you need to have BA contract signed with those entities.

Should I have BA contract with any business that I use for my organisation?

No. There are exceptions to whom you need to have BA agreement with.  Services like Janitorial or Electric doesn’t need to sign a BA contract with you.

Should I have any legal contract with my BA to protect ePHI data residing with them?

Yes.  HIPAA/HITECH regulations requires that you have a contractual agreement with your BA in order to protect the data they have  Experts at EHR 2.0 can help you with such contracts. You can reach us at info@ehr20.com.

What are the responsibilities, obligations and duties of a business associate?

  • Must comply with HIPAA Privacy,  Security and Breach  Rules
  • May not use or disclose PHI
  • Minimum necessary use
  • Civil and criminal liability directly

Can you provide examples of no business associate relationship?

If PHI is shared for treatment purposes, it's not considered as business associate relationship:
  • Physician Services
  • Nursing Services
  • Laboratory Services
  • Radiology Services
  • Physical Therapy
  • Occupational Therapy
  • Bank Services
  • Courier Services

Can you provide examples of a business associate?

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involve access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.

Who is a business associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

How long will my audit last?

OCR expected the covered entities to submit the requested papers to the auditors with 10 business days of notification. OCR  will then  notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

What happens when you disagree with audit findings?

OCR is getting strict with their enforcements in the coming years. Covered entities can contest against the auditors finding, But non compliance to federal regulations is a tough case to win.

What happens when you agree with audit findings?

After the initial assessment, auditors will provide the covered entities with final draft. Covered entities will have 10 days to work on the corrective action and submit a written comments to the auditors. Auditors will then provide the findings to OCR.

What if I can’t locate some of my records?

Upon completion of the initial audit phase, covered entities get 10 days to work on any remediations. If you are unable to locate the records still, depending on the severity of the record, penalties will apply.

How long should I retain my paperwork and records?

A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the HIPAA privacy and security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. Additionally,  a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information.

How do I know which documents and records are required for my audit?

Audit notification letter will indicate the documentation requirements. In General, auditors will look for all the policies and procedures and documents related to Physical, Technical and Administrative safeguards.

How do I know who to contact?

The audit notification letter will have the contact information of the auditor for your organisation and the method of contacting them.

What am I being audited?

As a covered auditors will  analyzing processes, controls, and policies with regards to HIPAA/HITECH Security, Privacy and Breach Notification rules.

What responsibilities do you and the auditor have during an audit?

The audit program represents one more avenue by which OCR ensures compliance with HIPAA protections of health information to the benefit of consumers. So,you and your organisation have the responsibility to cooperate during the audit and answering all the questions that are asked of you with regards to the audit. The Department has entered into a contract with the audit contractor to conduct the audits on its behalf. So, you are not responsible for remuneration of the auditing firm. The auditors have the responsibility of keeping to the scope of the audit program not exceeding beyond the Privacy, Security, and Breach Notification Rules.

What rights do you have during an OCR/HHS audit?

Although exact rights of the covered entities is not stated clearly, from the pilot audit conducted in 2012, we can conclude that no third party audit service providers are allowed to  assist during the process. If such service providers are part of your regular operations, then they can assist the auditors. If covered entity would prefer to have their attorney during the process, they can use their service as well.

What should you do if you receive a letter notifying of an audit?

If your organisation is selected, as requested in the letter, you will need provide documentation of your privacy and security compliance efforts within the time specified in the letter. You will be notified of the audit representative and their contact information along with the time frame for the audit, audit process and the expectations during the audit for you to prepare for the process.

How does HHS notify healthcare organizations of an audit?

f your organisation is selected for an audit, you will receive a notification letter by mail. Sample letter may look like this : http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf

What is the definition of an OCR/HHS audit?

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

MU measure 15 security risk assessment – does CMS require remediation in same attestation period?

It is good to show atleast few of the remediation action taken during the attestation process.  Though not a requirement for MU attestion, OCR/HHS audit will fine the covered entities if they have not taken any measure to fulfill the gap.

If I comply with meaningful use requirements, Am I HIPAA/HITECH compliant?

No. Meaningful use requirement are federal intiatives to adopt EHR systems and the incentive program applies to the covered entities that accepts Medicaid and Medicare patients. You can get more information on that at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html HIPAA/HITECH requirements apply to all the healthcare providers and their Business Associates.You can  get more information at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html

Does a covered entity have to have the right to audit a business associate directly?

As per the contractual agreement between CE and BA, CE’s can audit the business associates. Any breach by BA’s will affect the CE’s. However, CE’s cannot force BA’s to audit their facilities. BA’s who doesn’t cooperate for an audit is a red flag and their business relationship should be revisited.

Do you have to have the meaningful use security risk assessment completed before starting the 90 day attestation period?

It is a BEST PRACTICE to get the security risk assessment done before your attestation period. You can provide the evidence of mitigating any risks identified in the assessment during the 90 days attestation period.

What is the difference between HIPAA Privacy and Security?

The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.

Where can I get help or more information?

You can get more information from HHS(Health and Human Services) at http://www.hhs.gov/. . For any specific question or service request feel free to contact us at info@ehr20.com.

How does HHS enforce HIPAA/HITECH Compliance?

The American Recovery and Reinvestment Act of 2009,  Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR perform audits of covered entities to assess privacy and security compliance. For more information about the program visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.

How often the security compliance should be reviewed?

Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information. Typically, depending on your organizations size, once in every 6 months is recommended. Also, if there is any major change in process flow, technology set up , staff etc, it is wise to review it.

What if “Addressable” standards are not applicable to the covered entities environment?

Document why it is not applicable and implement an equivalent alternative measure if reasonable and appropriate.

What are “Addressable” standards in HIPAA/HITECH rule?

If the standard is stated as “Addressable”  the covered entity must assess if the implementation specification is  reasonable and appropriate in its environment with reference to e-PHI. If applicable then take measures to implement it.

What are “Required” Standards under HIPAA/HITECH rule?

If the standard is stated as “Required”, a covered entity MUST comply with that standard.

What are “Implementation Specifications” in HIPAA/HITECH rule?

While “Standards” defines what a covered entity must do, “Implementation Specification” describes how it must be done. There are two types of specifications, those that are “required” and those that are “addressable”.

What are “Standards” under HIPAA/HITECH rule?

A standard is a provision of the security rule that all CE’s and BA’s must comply with, specifically with respect to ePHI, there is no exception. There are 18 standards in Security Rule.

How does complying with HIPAA/HITECH regulations benefit my practice?

Complying with HIPAA/HITECH regulations is a federal mandate. Besides, ensuring privacy and security of electronic health information is a key component to build  trust with  patients, other providers and other business partners. If individuals and other participants in a network lack trust in electronic exchange of information, due to perceived or actual risks of such information, it may affect their willingness to disclose necessary health information and could affect business growth.

Who are “Business Associates”?

The term "business associates" refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information.  Business associates include those that perform services on behalf of the covered entity, such as claims processing, data analysis, utilization review, and billing, or provide services to the covered entity, such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.  To be a business associate,under the definition,  the work of an organization must deal directly with the use or disclosure of protected health information.  Additionally,the HITECH Act also specifies that an organization that provide data transmission of PHI to a covered entity and  requires access to PHI routinely will be treated as a business associate

Who must comply with HIPAA/HITECH Rules?

All covered entities must comply with the HIPAA/HITECH Rules. In general, the standards, requirements, and implementation specifications of HIPAA apply to the following entities: 1.   A Health Care Provide 2.   A Health Plan 3.   A Health Care Clearinghouse 4.    Business Associates.

What is the exact requirement related to privacy and security of stage 1 of Meaningful Use?

Core objective # 15: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Under the HIPAA Security Rule, you are required to implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308).

What is the scope of this security risk analysis?

The scope of risk analysis that the HIPAA security rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.

Is the security risk analysis is optional for small providers?

No. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

Only designated security and privacy officer can conduct risk analysis?

No. Your security officer should be able to work effectively with others to safeguard patient information. At various times, the officer will need to coordinate with your privacy officer (if a different person), practice manager, IT administrator or consultant, and your EHR vendor.

Is simply installing a certified EHR fulfills the security risk analysis MU requirement?

No. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
Certification does not guarantee performance or reliability of these security functions.
• The security functions may be “off” or the settings could be at a suboptimal level, either of which can create vulnerabilities.
• You and your staff should become familiar with the security settings in your EHR. Most of these are accessible to whoever has administrator privileges. Learning how to configure these settings, for example, will help when staff leave or join your practice. While nationally accepted standards on these configurations have not yet been developed, there are industry best practices. Your health information organization that facilitates electronic exchanges may have specific requirements.
• Your risk analysis should specifically examine the adequacy of your EHR security safeguards as it transmits, stores, and allows modifications to protected health information.

Do I have to outsource the security risk analysis?

No. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Why do you need to select qualified professional to conduct security risk analysis?

Your security risk analysis must be done well, or you will lack the information necessary to effectively protect patient information. Note that doing the analysis in-house may require an upfront investment developing a staff member’s knowledge of HIPAA and electronic information security issues. Use this opportunity to have your staff learn as much as possible about health information security. You however, can conduct the risk analysis yourself. Just as you contract with professionals for accounting, taxes, and legal counsel, so, too, outsourcing the security risk analysis function can make sense. If you need to, outsource this to a professional, a qualified professional’s expertise and focused attention will yield quicker and more reliable results than if your staff does it piecemeal over several months. The professional will suggest cost-effective ways to mitigate risks so you do not have to do the research yourself and evaluate options.

Can I just use a checklist as a security risk analysis?

It depends. Have your security officer or security risk professional performing the risk analysis use a checklist to get a preliminary sense of potential shortcomings in how your practice protects patient information. A single checklist does not fulfill the security risk analysis requirement, but the checklist will help everyone get ready for needed improvements.

Do I need to document risk analysis in a particular format?

No. Document Your Process, Findings, and Actions in whatever format you could as long it’s efficient. Your report should consists of
• Completed checklists
• Security risk analysis report
• Risk management action plan

A simple checklist will suffice for the risk analysis requirement?

No. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Is there is a specific risk analysis method that I must follow?

No. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

Is my security risk analysis scope is only my EHR?

No. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

Do I only need to do a risk analysis once?

No. To comply with HIPAA and MU incentive program, you must continue to review, correct or modify, and update security protections at least every year.

Is there any difference between the requirement of Core Measure 15 and existing HIPAA regulations that providers and practices should have been compliant over the next few years?

No. CMS has stated that they’re not using the meaningful use criteria to introduce any new security requirements. So, this should be nothing new to anyone. Performing a security risk analysis is required by the HIPAA Security Rule, as is “Apply security updates as needed” – both of those are administrative safeguards in the Security Rule. The requirement to remediate any problems means that if you do find some problems, you can’t ignore them and have to do something about them.

Do I need to fully mitigate all risks before I attest for an EHR incentive program?

No. The EHR incentive program does not require the healthcare organization to “completely” correcting all the deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

Do I need completely redo my security risk analysis every year?

No. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.

Do I need to do security risk analysis for only for Office-Based(hosted) EHRs?

No. Both office-based (locally-hosted) and Internet-hosted (remotely-hosted) EHRs have features that enable your practice to better control access to and use of protected health information than was available with paper medical records. On the other hand, both EHR types also introduce new risks to your patients’ information. The mix of security risks relates, in part, to your EHR type.

Why is my EHR vendor not taking care of everything I need to do about privacy and security?

Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making your practice compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

Do I need to do security risk analysis for only for Office-Based(hosted) EHRs?

No. Both office-based (locally-hosted) and Internet-hosted (remotely-hosted) EHRs have features that enable your practice to better control access to and use of protected health information than was available with paper medical records. On the other hand, both EHR types also introduce new risks to your patients’ information. The mix of security risks relates, in part, to your EHR type. The table on the next page offers a few examples of different risks associated with office-based vs. Internet hosted EHRs.

What do I do after completing the risk analysis?

Develop an action plan using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan should have five components: administrative, physical, and technical safeguards; policies and procedures; and organizational standards. Often, basic security measures like security awareness training and encryption can be highly effective and affordable.

How does it benefit my practice?

Ensuring privacy and security of electronic health information is a key component to building the trust with the patients, other providers and other business partners. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to individually identifiable health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences. In addition, protecting ePHI is a federal mandate.

If I complete security risk analysis am I compliant with HIPAA/HITECH?

Security risk analysis is only a part of HIPAA/HITECH security rule requirements. There are other security rule requirements that need to be completed as part of HIPAA/HITECH compliance.

Am I going to be audited if I have performed thorough security risk analysis as part of meaningful use incentive payments?

Yes, CMS (Center for Medicare and Medicaid Services) conducts routine audit of eligible professionals and hospitals that have got incentive payment to ensure meaningful use core objectives are being met.

How long would it take to complete the risk analysis?

It depends. For a small provider depending on the complexity of the install it should take anywhere from 4 to 8 hours. For a medium to large provider, we need to understand the technology architecture before providing a proposal.
Contact us at info@ehr20.com

What is a security risk analysis?

To make a simplistic medical analogy, a security risk analysis is the examination and testing you do to assess clinical risk and diagnose a condition.  Just as you use a diagnosis and other clinical data to plan treatment, you will use the risk analysis to create an action plan to make your practice better at protecting patient information.   Further, privacy and security are like chronic diseases that require treatment, ongoing monitoring and evaluation, and periodic adjustment.
A security risk analysis is a systematic and ongoing process of both:
• Identifying and examining potential threats and vulnerabilities to protected health information in your medical practice.
• Implementing changes to make patient health information more secure than at present, then monitoring results (i.e., risk management).

Who needs to conduct meaningful use security risk analysis?

An eligible professional must meaningfully use certified EHR technology for an EHR reporting period, and then attest to CMS that he or she has met meaningful use for that period.  

How do I measure or certify our HIPAA Compliance?

Given that there's no HIPAA certification standard or specific measures, one practical way to comply would be to use best practices and measure the organization against the elements within each category.

Am I going to be audited by HHS/KPMG auditors for HIPAA compliance?

HHS is in the process of selecting healthcare organizations and covered entities for their initial audit exercise for 2012. You will be notified by HHS if you are selected. To learn more visit HHS site: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

What is HIPAA Security Requirements for Encryption?

HIPAA doesn't specify what kind of encryption requirements are required for ePHI. However, HHS refers NIST Special Publications for encryption to choose the appropriate and reasonable encryption technologies.