Chat with us, powered by LiveChat

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

HHS Settles With Affinity Health Plan Inc. In Photocopier Breach Case

Affinity Health Plan, Inc., a not for profit, will settle prospective violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780 with the U.S. Department of Health and Human Services. HIPAA covered entities, like Affinity, are require to report to Health and Human Services when protected health information has been disclosed.

CBS evening news did an investigatory report in which they purchased photocopiers that had previously been leased by Affinity. In so doing CBS found that confidential medical information had never been erased from the hard drive. Affinity filed a breach report after CBS informed them of the medical information found on the hard drives.

Affinity revealed without consent protected health information of an estimated 344,579 individuals when it returned multiple photocopiers to leasing agents before confidential customer information had been removed from hard drive.

Affinity has an agreement of a settlement of $1,215,780, to take precautions to guard electronic protected health information, and to attempt to recover all hard drives that were used on the leased photocopiers. You can read more about the agreement here.

Make sure that your data is secure and that you mitigate as much risk as possible by engaging with HIPAA One.

WellPoint Agrees To Pay HHS $1.7 Million For Leaving Information Accessible Over Internet

According to the U.S. Department of Health and Human Services (HHS), WellPoint Inc. has agreed to pay them $1.7 million to settle potential violations to HIPAA Security and Privacy rules. You can read more about it here.

The HHS is hoping that this case and other recent cases send an important message to all HIPAA covered entities to take extreme measure to ensure data privacy and security when implementing changes to their information systems, especially when those changes involve updates to web based application or portals that house consumers’ electronic medical records.

If you are going to be implementing changes to your information systems and want to make sure that you stay compliant and minimize the risk associated with with such changes, we recommend you reach out to our HIPAA experts today!

 

Idaho State University Settles HIPAA Security Case For $400,000

According to the Department of Health and Human Services (HHS), Idaho State University has agreed to pay them $400,000 for violations of the HIPAA Security rule. The settlement was reached after 17,500 patients of an ISU clinic’s health records were compromised. You can read more about it here.

The Office for Civil Rights (OCR) opened investigations after ISU notified the HHS that their server firewall was disabled. Through their investigation, the OCR found that ISU did not apply proper security measures and policies all of which could have been avoided by consulting with a HIPAA security consultant and by executing routine HIPAA security audits.

This isn’t the first time a well known University has been penalized for a health data breach, we wrote about Indiana University and their breach in another post that you can find here.