The Health Insurance Portability and Accountability Act (HIPAA)
Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. Every covered entity—health care facility, health plan, or medical practice–has been required to maintain a HIPAA Privacy Risk Assessment program since 1996 and a HIPAA Security Risk Assessment program since 2003. Both Privacy and Security includes a risk assessment of your Electronic Health Record (EHR). The Centers for Medicare & Medicaid Services (CMS) requires documentation on request that your practice has an effective risk assessment program and appropriate safeguards in place and that you are accounting for any and all security-related issues.
Strong audit trails are a critical component of an organization’s security strategy. They help the entity ensure the confidentiality and integrity of data and avoid HIPAA law violations. Your EHR vendor should be able to provide you compliance documentation needed to pass an audit by CMS and/or your state governing board. If they cannot provide that documentation, a medical practice needs to find out why.
Should you do it yourself, or recruit external help?
The audit involves a tremendous amount of detailed documentation. You will be expected to submit policies and procedures and other evidence of security efforts, including proof of prevention, detection, containment, and correction of security violations; employee background checks and confidentiality agreements; authentication methods used to identify users authorized to access private information; list of individuals and contractors with access to private information and copies of related business agreements; lists of software used to manage and control access to the Internet; details about encryptions and decryption of private information; how security incidents are detected, reported, and responded to; and much, much more. Supplying all of this information requires extensive knowledge of security issues and how private information is handled and managed.
In truth, completing the audit is daunting; so daunting, in fact, that many don’t complete it. “The purpose of the HIPAA risk mandate was to force covered entities to take a risk based approach to their practice, which lets them identify areas where they are weak and correct those weaknesses,” said Sean E. Smith, CISSP, Senior Security and Compliance Engineer of Geriatric Practice Management, LLC, (GPM). However, he added, “In my experience with medical practices, many have treated the mandate for HIPAA risk assessment as a necessary evil and done as little as possible to create a viable risk program.” However, the ramifications of not completing an audit are significant.
“This is a huge penalty for practices and providers.”
The penalty if you cannot provide documentation that you conducted the audit is a loss of 4% of Medicare payments the first year and up to 9% over the next 4-5 years. “This is a huge penalty for practices and providers,” said Smith. He added, “It is important to note that in the HIPAA world, privacy and security are separate entities; and you need to provide documentation that you audited both.”
Many health care entities let their IT staff handle HIPAA risk assessments, but this can be a foolish rationale. As Smith said, “You wouldn’t let your office manager handle an audit of your financials; you hire a CPA with specific expertise. The same concept applies to security. You need people who are trained and certified to address security to help you set up your risk system. Hire smart people to be smart at what they’re smart at.” He noted that these experts can handle the entire risk assessment process or provide any kind of consulting between the layers of it.
An EHR vendor with cyber security experts on staff can be a practice’s best friend in a world where the risks are mounting and the stakes are high. Work with your vendor and its security experts to learn from your audit data and make necessary changes, additions, and revisions. Finally, said Smith, it’s not just enough that a general cyber security expert. It is essential to find out with a history in healthcare. “A lot of security companies are good at other industries but do not understand healthcare. You wouldn’t hire an accounting firm that has expertise in manufacturing to assist with your healthcare organization’s financial program,” he said. Similarly, he indicated, you need a security expert who understands the specific challenges and issues faced by organizations in your field and have experience in securing and protecting patient records and other confidential health data.
Security Risk Assessment Tool
To give you an idea of what you need to do and where you need to start when it comes to your HIPAA risk assessment, the U.S. Department of Health and Human Services has produced a security risk assessment (SRA) tool to help guide health care providers in small- to medium-sized offices conduct risk assessments of their organizations.
The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the HIPAA Security Rule. The application, available for downloading at www.HealthIT.gov/security-risk-assessment also produces a report that can be provided to auditors.