With all the recent turbulence in healthcare surrounding Meaningful Use, ICD-10 and now the transition to the Merit-based Incentive Payment System, HIPAA has flown under the radar, in a sense, for some practices. However, in 2017 it's important that practices make HIPAA compliance a priority. Here are five things we covered in a recent webinar on what all practices should focus on in regards to HIPAA compliance in 2017.
According to HHS, “HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk.”
As an extension of the HITECH Act, the audit mandate exposed health care providers that must adhere to HIPAA regulations to the possibility of being audited for compliance, security and breach notifications.
The second round of HIPAA audits will measure the degree to which not only practices but also covered entities such as health care providers and insurance companies, in addition to their business partners and associates are in compliance with HIPAA rules and regulations.
The recent focus of HIPAA audits by the HHS Office for Civil Rights means your practice can no longer approach HIPAA as a "binder on the shelf."
The Role of Meaningful Use in HIPAA Compliance
Meaningful Use and HIPAA are closely tied together. If you participated in Meaningful Use, you had to check a box that said you are protecting your electronic health information. However, many practices assume that by conducting a security risk assessment, they are prepared for an audit by HHS Office for Civil Rights.
A Meaningful Use audit usually means two things:
Let's discuss how each of these pieces of a Meaningful Use audit impacts your practice's HIPAA compliance efforts.
Why Conducting a Risk Assessment Isn't Enough
When you check the box for Meaningful Use that says you did a security risk assessment, there's more to it. You simply will not pass an audit by just checking this box. Here's why.
This particular Meaningful Use Core Measure states that you must "Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities." The measure goes on to state that practices must also "conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
The part to focus on here is that you must "implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
Just performing a risk assessment isn't enough. Once your risk assessment is complete, you need to implement a corrective action plan.
Updated Business Associate Agreements (BAA)
Business Associates are vendors with which you share protected health information. Examples of business associates would be your outside IT companies, copier companies with a maintenance agreement, transcription companies, or a medical billing service provider.
These organizations must have an updated BAA in place considering the Omnibus final rule went into effect in September 2013. Make sure every BAA is in place and has been updated with every business associate.
Satisfactory Assurance is you gaining satisfactory assurance from your vendors (that you've entered into a Business Associate Agreement with) that they are capable of protecting the health information you share with them by being HIPAA compliant. There are a few questions to ask your vendors regarding this which we'll talk more about in point #4 of this article.
When can my practice be audited?
So just how long can you expect to be audited for Meaningful Use? Typically you can face a Meaningful Use audit for up to 6 years. If you have been audited already, you are probably an early adopter of the Meaningful Use attestation process.
Keep your documentation organized and ready in the case that you might receive an audit.
If you are familiar with HIPAA at all, then you probably already know that a breach or improper disclosure of protected health information needs to be reported to the HHS Office for Civil Rights.
However, the Breach Notification Rule has changed. The Rule previously stated that if 500 or more accounts have been improperly disclosed, then the breach would need to be reported to Health and Human Services.
The Rule now states that every improper disclosure of protected health information must be reported electronically to HHS Office for Civil Rights within 60 days of the end of the calendar year in which that improper disclosure took place.
3. How do I prepare my practice and where do I start with HIPAA Compliance?
Wondering how to get started with 1900 pages of HIPAA rules and regulations? It doesn't have to be complicated. Your practice should start with an organization assessment.
An organization assessment helps you have a better understanding of where your practice is sharing information with vendors, the technology you're using, policies and procedures, and physical attributes of your organization. It also allows you to take a look at where your information is, where you're sharing it, and if there was a breach, it would allow you to identify that very quickly and easily.
How does an organization assessment differ from a risk assessment?
An organization assessment is a much higher level of looking at HIPAA and looks at each of the pieces required for HIPAA compliance.
These pieces would include:
Meaningful Use risk assessment is very detailed, comes with a corrective action plan, and the technology side is much more thorough and goes into some of the technology pieces that need to be changed.
An organization assessment is a much higher level overview that gives you a broad picture of where you are today.
So we have talked a little bit about Business Associate Agreements and Satisfactory Assurance but the fourth item to focus on is documentation.
Understand that a BAA is a contract between you and another organization that you're sharing health information with. Also, understand that there could be requirements in a BAA that are not being met. It is not just a standard document so keep in mind that a Business Associate Agreement is, in fact, a contract.
Another important piece of HIPAA that you need to have documented is the Satisfactory Assurance from your vendors' compliance. This means you've at least done your due diligence that your vendors can confirm they can safeguard and protect the information you are sharing with them.
The Satisfactory Assurances must be documented through a written contract of other written agreement or arrangement with the business associate.
A few questions to ask your vendors would be:
Documenting Your HIPAA Compliance Program
Keep in mind that HIPAA is no longer a "binder on the shelf" and your HIPAA compliance program must be actionable. Make sure your compliance program is understood, disseminated, and used so employees know what they should and shouldn't do.
Your workforce is your first line of defense in safeguarding information that patients are entrusting you to keep safe.
It is vital to understand that HIPAA compliance is not optional, it is required. HIPAA is required by Health and Human Services, and it is required for you to participate in MACRA.
Since the Advancing Care Information category under the Merit-based Incentive Payment System replaces Meaningful Use, you're still going to see a Security Risk Analysis as a required measure for your base score.
The Security Risk Analysis measure states that a practice must:
"Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process."
So to conclude, be sure to understand that a risk assessment once a year doesn't cover it.
A risk assessment is a snapshot; it is a moment in time. Technology changes all the time and performing a risk assessment is required at least two times a year. The first time being to identify the risk and the second time would be after you remediate those risks. The 2nd risk assessment will help you determine if those risks were remediated correctly or if they still exist.
Performing a risk assessment twice a year is the bare minimum. Keep in mind that if you have a significant change in personnel, that would warrant another risk assessment or if you adopt a new technology or change locations, then you should be performing another risk assessment.