WHEN IT COMES TO HIPAA enforcement and liability, one could say that “the hits just keep on coming!” If you have not had the time to experience the riveting read Office of Inspector General Work Plan Fiscal Year 2015, you may not be missing a bestseller, but there is information that should be made note of when planning your 2015 HIPAA budget and projects. Yes, I said budget and projects.
Here is a section with information to note, Systems and Information Security in Appendix B—Recovery Act Reviews, page 75, within the Security of certified electronic health record technology under meaningful use:
We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology. A core meaningful-use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities. To meet and measure this objective, eligible hospitals, including critical access hospitals, must conduct a security risk analysis of certified EHR technology as defined in Federal regulations and use the capabilities and standards of Certified Electronic Health Record Technology. Furthermore, business associates that transmit, process, and store EHRs for Medicare and Medicaid providers are playing a larger role in the protection of electronic health information. Therefore, audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements.
So, if you or your clients received EHR incentive payments, then the Office of Inspector General (OIG) may be performing a random security audit on your client, your business, or both. The point that is most important is this notice mentions specifically a security risk analysis of certified EHR technology. We are building our own document library of EHR security features and options that should be set for security. The fact that we are building our own means we are not encountering many cases where we don’t need to provide the information to the CE. Yes, they are thrilled we have it, but … we aren’t supposed to be doing their first analysis.
So the OIG may come knocking and we are getting more details on the Department of Health and Human Services Office for Civil Rights (OCR) audits for 2015, too. The part I point out to many of our BA clients is they aren’t kidding when they say they are going to audit. Fifty security audits are planned for BAs. Thirty-five of those will be IT-related companies. So, maybe it isn’t the hits that keep on coming after all. Maybe I should say the HINTS just keep on coming.
Okay, so to play devil’s advocate, one might say the chances of being selected in these random things is statistically very low. I love numbers and totally agree with that point. But, the likelihood of you getting audited is not what you should be worrying about. What you should be worrying about is:
- Having a breach and getting that call about your investigation requirements.
- Any of your BAs getting audited or investigated and doing a face plant right in front of OCR. How will that reflect on your compliance level? How will you quickly replace them?
- Knowing that there was plenty of time to attempt to catch up, but it was continually put off. The longer it takes for something to happen, the worse it will look when it does.
article by DONNA GRINDLE, CHPSE
ABOUT THE AUTHOR: Donna Grindle, CHPSE, has been writing medical practice software as a programmer since 1987. She is currently the owner and president of Karden Technology, which specializes in IT and HIPAA compliance services, working with small healthcare providers and businesses that support them.