Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.
The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.
A brief recap on the stages of meaningful use:
Stage 1. The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government.
Stage 2. The second state of criteria would be proposed by the end of 2011 and will focus on structured information exchange and continuous quality improvement.
Stage 3. The last stage will focus on decision support for "national high priority conditions" and population health. Criteria will come out in 2013.
CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."
"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.
And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.
It's a good time to check on this, and if you haven't done so, use these three tips provided by Ruelas to get your organization's risk assessment going:
Don't overthink it. Decide if this is something you will do in-house or externally. "Too often people get stuck deciding how they wish to proceed, including at the beginning," Ruelas says. "Sometimes doing some basic homework, such as reading through the CMS Security Series newsletters, can help people decide which route to take."
Be realistic. If a covered entity is located in the middle of the desert, the folks doing the analysis don't need to spend much time evaluating the threat potential of floods caused by a hurricane or power disruption to the utility lines caused by heavy snowstorms. When putting together a list of risks, weed out those that have no applicability. Often, people put together their initial lists of potential threats through brainstorming sessions. "Don't delete anything from these lists until after brainstorming is completed since during brainstorming the goal is to generate as many ideas as possible," Ruelas says.
Try to involve all layers of individuals that may be affected (IT administrators, techs, end users). Often different people will offer different perspectives based on their experience. The more perspectives offered, the better chances of getting a finer picture of how folks may perceive similar threats. For example, an IT infrastructure that allows for power failures to be backed up by uninterrupted power supplies may appear seamless to an end user who may not ever know that power had been disrupted.
HIPAA privacy and security officers need not revamp their entire policy and training program because of the "meaningful use" of electronic health records (EHR) guidelines published this month in the Federal Register.
If you're on the right track toward complying with HIPAA privacy and security requirements and protecting your patient's information, stay right there.
The EHR standards simply enable you to carry out certain aspects of HIPAA and HITECH better, such as encryption, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC.
CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released the two regulations regarding the definition of "meaningful use" of EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians last month.
EHR compliance does not guarantee HIPAA compliance.
"While the capabilities provided by Certified EHR Technology may assist … in improving … technical safeguards in order to meet some or all of the HIPAA security rule's requirements or influence … the use of Certified EHR Technology alone does not equate to compliance with the HIPAA privacy or security rules."
One security standard ONC does require already in its meaningful use interim final rule is that EHR systems be capable of encryption.
For instance, if you take your laptop out of your facility with personal health information on it, you must have the capability to encrypt it. Or if you are going to send data to a Health Information Exchange (HIE), you can encrypt the transmission. It does not mean you have to encrypt the entire EHR, Amatayakul says.
"We believe a logical and practical next step … is to require Certified EHR Technology to be capable of encryption," ONC writes. "We hope that by requiring Certified EHR Technology to include this capability, that the use of encryption will become more prevalent."
Keep in mind the ONC interim final rule and CMS proposed rules are in a public comment stage now, with final rules expected in the spring. However, the interim final rule is in effect today.
Further, ONC says it may add layers of security standards to what's already established in HIPAA and HITECH.
"We believe that the HIPAA Security Rule serves as an appropriate starting point for establishing the capabilities for Certified EHR Technology," the ONC writes in the interim final rule. "That being said … we intend to … explore these areas and where possible to adopt new certification criteria and standards in the future to improve the capabilities Certified EHR Technology can provide to protect health information."
As of February 17, all business associates (BAs) must comply with the HIPAA security rule and parts of the privacy rule or face stiff penalties.
It's time to do a last-minute check to make sure they are.
Know your BAs. Most importantly, double-check your list of BAs, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Make sure that anyone who could qualify as a BA has been accurately identified as a BA. For example, your organization may not realize that that a consultant that has access to personal health information (PHI) actually qualifies.
Make sure organizations you have identified as BAs actually are, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
In the early days of HIPAA, many organizations decided to err on the side of caution and made pretty much everyone sign a BA contract, says Ruelas. But that decision may come back to haunt them with this new compliance date pending.
Gauge your BAs' readiness. The next item on your last-minute checklist is to make sure that your BAs know that they are expected to comply with these regulations. Some organizations, even this late in the game, might not even know that they are required to be HIPAA compliant, says Ruelas.
Don't just ask your BA if they are HIPAA compliant, ask them specific questions to gauge their readiness, such as how they will handle specific scenarios, says Borten. Some BAs also may not understand the full extent of what they are now required to do, says Ruelas. For example, they might know they have new breach notification requirements, but are unaware of their other responsibilities, says Ruelas.
Make sure your BA contract language is up to date. Once you've checked up on your BAs, make sure you have legal contracts that include all the language required by the privacy and security rules and HITECH Act.
Put expectations in writing. For example, make sure that the covered entity and BA agree on action parameters when a breach is discovered. Spell out in the contract how long the BA has to report a breach to your organization once it is discovered.
Requiring that rapid notification will ensure that you are being notified in a timely manner and also that you can work with the BA to determine the cause and fallout from the breach by the time you are required by federal law to report it, he says.
Brace for contract updates. Be prepared to update the contract next month when the government is expected to release new breach notification guidance. Many hope that this guidance will clear up some lingering questions related to how elements of the HITECH Act should be incorporated into BA agreements.
Hire an attorney who knows HIPAA. If you are hiring, look for an attorney who specializes in HIPAA to review your BA contracts. Borten says she's seen many a competent attorney include contract provisions that were not HIPAA compliant simply because the rule is complex and requires someone with specialized knowledge to interpret and apply it correctly.
Beware of subcontractors. Include language regarding subcontractors. Know to whom your BAs subcontract work and stay informed on these arrangements, says Borten. Consider requiring the organization to notify you if they are using a subcontractor, particularly one that is offshore. Some organizations go so far as to prohibit BAs from subcontracting work offshore, says Borten.
Don't view BAs as adversaries. "Covered entities and BAs have been partners for years; it is not something that has to cause a divide," says Ruelas. If your BAs need help becoming compliant, help them along. Your organization likely spent a lot of time getting up to speed on HIPAA. Save your BAs some of that work by sharing with them what you've already done.
"It really serves no purpose to say to them figure it out yourself," says Ruelas. Set aside a day and have them come in and talk to your designated privacy officer or security officer.
"You're helping each other out. It is a symbiotic relationship," says Ruelas.
Major breaches of patient information in 2009 break down into three types: snoopers, hackers, and those involving large quantities of data.
So let's examine the top breaches from the past year and find out what facilities can do to prevent similar problems.
California cracks down on celebrity privacy breach
In May, state regulators in California slapped a large penalty on Kaiser Permanente's Bellflower Hospital in Bellflower, CA. Regulators found that the hospital failed to prevent employees from snooping into the medical records of the so-called Octomom, Nadya Suleman, who give birth to octuplets in January 2009. The hospital failed to report the inappropriate access, which is considered a security breach.
High-profile cases where hospital employees leaked details of patients' medical conditions to the news media resulted in the new California law that permits the state to impose financial penalties on healthcare providers who don't protect patients' medical records. Fines run as high as $250,000.
Lessons learned: Be sure your workforce members know your policy and that you will hold them accountable, says Margret Amatayakul, RHIA, CPHS, CPHIT, CPEHR, FHIMSS, president of Margret\A Consulting in Schaumburg, IL. "Follow your sanction policies and be strict about them," she says.
Hackers demand ransom for prescription records
In June 2009, Virginia officials began mailing direct individual notifications to more than a half-million people whose Social Security numbers may have been contained in the Prescription Monitoring Program (PMP) database that was hacked by a criminal who demanded a $10 million ransom.
In the April 30 breach, an unidentified hacker left a ransom note at the PMP's Web site claiming to have more than eight million patient records and more than 35 million prescriptions. "For $10 million, I will gladly send along the password," the hacker reportedly wrote.
The Virginia Department of Health Professions, which oversees the PMP database, had to close the system after the breach. It reopened for registered users only after the Virginia Information Technology Agency and other law enforcement agencies cleared new security measures.
Lessons learned: "This is probably less frequent, but more difficult to protect against," says Amatayakul. Facilities need to address issues such as intrusion protection and having layered security, she says.
Facilities should look at hardening their firewall, which stops communications from going out, but also from coming in, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. They should also have an active patch management program in place as well as antivirus software and spyware, all of which providers must keep updated. And don't forget about remote users who also need to employ the same protection, he says.
Facilities should test their Web sites and ensure they encrypt sensitive information. Hackers look for wireless networks, which is a vulnerable spot if not secured properly.
However, "your most significant risk is not the hackers," Apgar says. The biggest risk of a breach is careless staff members who have not been appropriately trained, he says.
Major pharmacy company settles privacy breaches
The Federal Trade Commission (FTC) and HHS entered into a settlement agreement with the CVS Caremark Corp., including penalties of $2.25 million, in February for violating HIPAA and FTC rules with the inappropriate disposal of PHI. The settlement followed an investigation prompted by reports that the company discarded patient information in industrial trash containers outside some of its stores, including pill bottles.
CVS failed to secure the containers, making the patent information assessable to anyone, according to HHS. The company violated the privacy of millions of its customers.
Lessons learned: CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, according to HHS.
Organizations run into problems when they have lax practices, says Amatayakul. "Organizations should know better, and they should secure this data," she adds.
HHS also found CVS failed to adequately train employees to discard patient information properly. Many privacy problems are really a training problem, Amatayakul says.
Facilities must also safeguard data used through mobile devices, she says. Stolen or lost laptop computers that contained patient information also dominated news headlines in 2009.