I come from a family with 6 boys, all of which are Eagle Scouts. I’ve used many skills I learned from Boy Scouts in my travels across the globe. From Heli-skiing in Alaska, caribou hunting with a bow in the vast tundra of Quebec to roaming the streets of Jerusalem. Each skill I learned in Scouting has been put to the test at one point or another in my life.
For the last 16 years I’ve served as a volunteer Scout leader in the Boy Scouts of America and have tried to give back to the youth by teaching them the lessons I feel will help them be successful in all facets of life. Sitting at the top of the list is being prepared. Whether it’s being prepared physically and mentally to weather a storm and build a shelter for safety or being prepared to communicate with someone in another language or being prepared to be honest in business dealings with others.
Being prepared is the Boy Scout motto. “Be prepared for what?” someone once asked Robert Baden-Powell, the founder of Scouts, to which he replied, “Why, for any old thing.”
I am shocked in my professional career that this simple mantra of being prepared is not more readily observed. I’ve had conversations — too many to list — with providers and CIOs making statements indicating they were comfortable participating in the CMS Meaningful Use incentive program and receiving large incentive funds without properly understanding what they’re committing to. That is scary!
I recently became aware of a covered entity that received close to 1 million dollars from CMS as a participant of Meaningful Use, yet upon inquiry from Figliozzi to produce the Security Risk Analysis required by the HIPAA Security Rule they were unable to do so.
In an email addressed to them the concluding remarks stated, “If the aforementioned meaningful use criteria are not met, the incentive payment will be recouped.” Yikes! Our experience has shown that many hospitals and clinics are running on a 60 to 90 day cash runway. Returning funds of this magnitude with such minimal operating capital could result in unfortunate consequences.
When will the phase 2 audits begin? OCR will begin phase 2 audits in October 2014 and will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses as their focus. These entities will have two weeks to respond to the OCR’s request. OCR will only consider current documentation that is submitted on time. Failure to respond could result in a more in depth compliance review.
In the spirit of being prepared, here are 2 simple steps to help get your organization started in its preparation for an audit.
#1 — Dig up and dust off your Security Risk Analysis
- Can you find it?
- Is it up to date?
- Have you been working on the gaps in compliance identified for remediation?
If you checked the box and did not conduct a proper SRA, then beware! There are many who have simply checked the box that an assessment has been done at the facility without understanding the rigor and liability of what is being asked by CMS. We are finding that some providers would rather roll the dice when it comes to an audit of their HIPAA Security risk assessment. According to CMS, 68% of those audited fail because they have not conducted an SRA or have done it incorrectly. This is not a matter to be trifled with. If a provider fails even this one measure of HIPAA compliance, CMS will recoup the entire amount. It’s all or nothing.
#2 — Designate a HIPAA Security Officer
Designate someone to be your HIPAA Security Officer to avoid confusion on who should own the responsibility for overseeing the risk assessment process and ensure HIPAA compliance protocols are followed in the organization. The former will include gathering and storing information from several parties. A typical Security Risk Analysis includes information gathered and aggregated from the HR Director, EMR Administrator, IT Network Manager, Facilities Manager, IT Server Manager and HIPAA Security Officer. Using this approach, specific role-related questions are answered by each of the parties aforementioned.
Here’s a good example: An IT Network Manager is asked, “Has your organization performed an external (i.e. Internet) server and network vulnerability scan on your Internet-facing devices in the past year?” If their answer is yes, then they are asked to supply supporting documentation. If their answer is no, then a threat, likelihood and impact are identified and a high, medium or low risk is associated to that question with a remediation task for later fulfilment. A follow-up question would be, “Were there any critical and/or high risk vulnerabilities discovered in the vulnerability scans?” CMS is not only looking to see that you completed a Security Risk Analysis, but that you are working on remediating items deemed high risk.
When it comes time to present on the current state of compliance in your organization, having one point of contact organizing this information helps keep all parties on task and working toward HIPAA compliance.
Be warned when a CMS, OCR or government-sponsored inquiry occurs and Security Risk Analysis documentation is requested. Answering the questions, “Where is it and who has it?” with “not me” won’t cut it and will result in your organization returning your incentive payment. The phrase “not me” isn’t just a fictional character in the family circus cartoon. It’s a human condition in the brain designed to absolve one’s self of any duty, accountability or responsibility in a particular situation one prefers not to be inserted into. Replying “not me” could cost your organization millions of dollars in fines and embarrassment.
The best way to be prepared to survive a Meaningful Use audit or other government inquiry is to show compliance through organized documentation, processes, policies and procedures. Resources are readily available, so find the best Boy Scout in your office, dub them with the title of HIPAA Security Officer and get to work! And remember, compliance is NOT a destination but a journey. Enjoy the journey!