0
0
Financial penalties for HIPAA violations. How real are they? How about a recent $4.3 million civil penalty faced by Cignet Health of Prince George’s County, Maryland; or the also recent $1 million settlement for Massachusetts General Hospital? Are those figures and outcomes real enough for you?
Included in the EHR and technology discussions so common in healthcare today are the well publicized HITECH incentives. These incentives are scheduled to be paid to eligible providers who are able to demonstrate compliance with meaningful use of their certified EHR system. And these EHR incentive payments are starting to be paid right about now for Medicare, and earlier this year for Medicaid. However, part of complying with meaningful use includes the completion of a HIPAA risk assessment either done by the medical provider, or by a qualified professional on the provider’s behalf. What’s more, this assessment is not just a one-time review showing that your EHR system and technology usage is HIPAA compliant; meaningful use requires periodic HIPAA risk assessments as well.
Proper completion of your HIPAA assessment must include both Privacy and Security Rules Straight from Health and Human Services (HHS), HIPAA calls, “… for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. The Administrative Simplification Regulations have been developed to implement these statutory provisions.”
Within these provisions, HIPAA privacy rules refer to those standards that protect individuals’ medical records and other personal health information. They require appropriate safeguards intended to protect the privacy of personal health information, and give patients rights over their health information.
Sample items included in a HIPAA privacy rule assessment include:
- Privacy & Confidentiality
- Notice of Privacy Practices
- Marketing/Fundraising/Sale of PHI
- Minimum necessary Rule
- Decedents
- Research Authorizations
- Disclosures
- Employee Training
- Access to PHI
- HIPPA Compliance in Front and Back Office, and by Providers
- Business Associate contracting activities and BA Agreements in use
HIPAA security rules refer to standards intended to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Required are appropriate (1) administrative, (2) physical, and (3) technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Sample items included in a HIPAA security rule assessment include:
- Security Management
- Worker Sanctions
- Security Responsibilities
- Workforce Clearance/Termination Procedures
- Authorization and Supervision of Access to ePHI
- Isolation Health Clearinghouse Functions
- Log-in Monitoring
- Password Management
- Security Incidents
- Protection from Mal-ware
- Security Awareness Training/security Reminders
- Risk Analysis/Vulnerability Assessment
- Contingency Planning
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
- Testing and Revision Procedures
- Applications and Data Critical Analysis
- Facility Access Controls; recommend changes/updates;
- Facility Security Plan, including access controls and maintenance/repairs
- Workstation Use/Security Policies and practices
- Policies and procedures for Device and Media Controls (Disposal/Reuse/Accountability)
- Technical (administrative) policies to manage PHI access ( User ID, Emergency Access, Auto Log-off, Encryption)
- Audit Controls, Integrity, Authentication (PHI and Person);
- Transmission Security (Integrity and Encryption);
- Breach Notification Plan/Procedures
So whether you’re hoping to qualify for EHR incentives, want to do things right and comply with HIPAA regulations, or are just trying to avoid hefty penalties for infractions, it’s advisable to pursue a risk assessment… and to do it NOW if you haven’t already.
