PRIVACY, SECURITY AND
MEANINGFUL USE
Is your practice compliant?
ABOUT SEARFOSS & ASSOCIATES
With more than 15 years of experience in the health care
industry, Searfoss & Associates, LLC offers legal services to
individual and group health care providers and integrated
health systems. The Firm is led by Principal Jennifer
Searfoss, a nationally recognized advocate for medical
practices and well-known public speaker.
Searfoss & Associates, LLC is conveniently located in
Annapolis, only blocks from the State’s capital building.
AGENDA
I.
Overview of the requirements; recent breaches and fines
II. History of the privacy and security requirements
a. HIPAA
b. Meaningful use
III. Components of a compliance plan
a. Policies
b. Audit/risk assessment
c. Take action – fix the problem(s)
IV. What an audit looks like
V. You found a problem, now what?
VI. The new audit era: CMS and RACs for meaningful use
OBJECTIVES
• Appreciate the federal regulations and requirements for
keeping health information private and secure
• Clarify how the meaningful use guidelines impact privacy
and security protections
• Evaluate your privacy and security policies for areas of
improvement and training
• Identify opportunities in your practice’s audit functions to
inspect computers and systems for protections
• Establish an action plan for privacy or security breeches
GETTING STARTED
Overview of the requirements
Recent breaches and fines
History of the privacy and security requirements
HIPAA and Meaningful Use
PRIVACY VS. SECURITY
Privacy
• Administrative mechanisms that govern the appropriate use and
access to data
•
•
Not all employees need to know everything about a patient
Don’t send the full medical record to a health plan for a request
for clinical documentation
Security
• Technical mechanisms to ensure privacy
•
•
Don’t have a fax machine that receives personal information in
a public place
Encrypt electronic communications
PRIVACY AND SECURITY
• Mandated in HIPAA
•
You know it for the requirement to post your privacy practices
and receive a patient attestation
• Includes “covered entities” which requires electronic transactions
for claims or eligibility
• Penalties for HIPAA breach
•
•
•
When HIPAA was first enacted, the maximum penalty for a
HIPAA violation was $250,000 annually. Now, the maximum
penalty under HITECH is $1.5 million per calendar year.
Civil penalties after Feb. 18, 2009 range from $100 to $50,000
per violation.
Criminal penalties for intent to sell, transfer or use PHI for
commercial advantage, personal gain or malicious harm is up to
10 years jail time and $250,000.
RECENT BREACHES AND FINES
• April 17: $100,000 in fines for physician practice posting
clinical and surgical appointments for patients on an
Internet-based public calendar
• March 13: $1.5 mil for 57 stolen unencrypted hard drives
(first HITECH breach report enforcement action)
• Feb. 24, 2011: $1 mil for lost records on subway for 192
infectious disease patients including HIV patients
• Feb. 22, 2011: $1.3 mil for denial of 41 patients to their
medical records; $3 mil in civil monetary penalty for willful
neglect to cooperate during investigation
WHAT’S REQUIRED
• Privacy policy and procedures
• Appointed privacy officer
• Staff training
• Mitigation and data safeguards
• Documentation
• Complaints
MEANINGFUL USE – STAGE ONE
Objective 15: Mandatory completion (no exclusions)
(i) Objective. Protect electronic health information created or
maintained by the certified EHR technology through the
implementation of appropriate technical capabilities.
(ii) Measure. Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1) and implement security updates as necessary
and correct identified security deficiencies as part of its risk
management process.
45 CFR 164.308(A)(1)
A covered entity must:
(i) Implement policies and procedures to prevent, detect, contain and
correct security violations
(ii) Implementation specifications:
(A) Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability
of electronic protected health information held by the covered entity
(B) Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level
(C) Apply appropriate sanctions against workforce members who fail
to comply with the security policies and procedures of the covered
entity.
(D) Implement procedures to regularly review records of information
system activity, such as audit logs, access reports, and security
incident tracking reports
COMPONENTS OF A COMPLIANCE PLAN
Policies
Audit/risk assessment
Take action – fix the problem(s)
PRIVACY AND SECURITY POLICIES
Policies to prevent, detect, contain and correct security
violations
• Must be in writing
• Should be reviewed periodically by physician board
• A number of off the shelf-products work for medical offices
• Remember to fill in information specific for your practice
• Cannot just write it and not implement it
•
•
•
•
Appoint security/privacy officer
Train personnel
Accept complaints
Audit
AUDIT/RISK ASSESSMENT
Workgroup for Electronic Data Interchange
developed a model audit
• My office has formal, written policies and we train all staff on
policies at hiring and then periodically thereafter.
• We do not use a sign in sheet that includes confidential patient
information.
• All confidential conversations take place, to the extent possible,
in areas that cannot be overheard by other patients or non-staff
individuals.
• Patients and non-staff cannot gain access to computers or faxes
and cannot see computer screens.
• Each computer has a personal password which changes on a
regular basis. Terminated employee passwords are eliminated
immediately.
• There is a list of all computers, systems and other technology as
well as documented permission levels for each staff person and
we audit the logs and technology periodically.
TAKING ACTION
Your action to problems should be included in the policies
and procedures. Include type of action, who is involved,
final decision-makers and timeframes for action.
• Patient complaints
• Personnel complaints
• Audit results
• Software updates and upgrades
WHAT AN AUDIT LOOKS LIKE
• Follow the process established in your policy
• May be conducted in-house
• Document:
•
•
•
•
•
When process began
What was audited
How it was audited
Results and risk areas
Mitigation and corrective actions taken on results
YOU FOUND A PROBLEM, NOW WHAT?
Section 13402 of Health Information Technology for Economic and
Clinical Health Act (HITECH; included in the American Recovery
and Reinvestment Act of 2009; P.L. 111-5) requires breach
reporting.
“A covered entity that accesses, maintains, retains, modifies,
records, stores, destroys or otherwise holds, uses or discloses
unsecured” PHI shall
• Notify each individual within 60 days whose unsecured PHI has
been or is reasonable believed to have been accessed,
acquired or disclosed
• HHS and media notice for breaches of more than 500
individuals
• HHS notice for breaches of less than 500 individuals may be
logged and reported annually
NORMAL PROBLEMS – NO BREECH
• Appoint a security/privacy officer
• Develop policies and review them
• Implement administrative permissions; review and update them
periodically
• Training for staff
• Business associate agreements with everyone touching PHI
• Passwords must expire
• All machines must have timeouts with passwords
• Networks, including patient wifi, must be isolated
• Data encrypted
• Records destroyed
THE NEW AUDIT ERA
April report by the General Accounting Office to Congress
recommended:
• CMS should establish timeframes evaluating the
effectiveness of its Medicare EHR incentives audit
strategy
• CMS should request more information from Medicare
providers during the attestation process
• CMS should evaluate extent to which it should conduct
more verifications on a prepayment basis
• CMS should consider collecting meaningful use
attestations from Medicaid providers on behalf of the
states
PREPAREDNESS
One deficiency in meeting a required Meaningful Use measure will
result in a finding of non-compliance and CMS will move to recoup
the entire incentive payment.
•
Keep hard copies or digital copies of any reports you relied on to
document meaningful use compliance
•
Document the reasons for claiming an exemption from any
meaningful use measures that do not apply to your organization
or practice
•
If you rely on the FAQs interpreting meaningful use questions on
the CMS website, keep a dated copy of the FAQ content with your
other meaningful use documentation.
•
•
CMS does not maintain date stamps on FAQs. As content changes,
don’t be stuck with the government’s change in interpretation
Use your terms, not vender terms or health care lingo. The
auditors may not know health care or your software. If you must,
stick to IT industry terms.
QUESTIONS
Jennifer Searfoss, Esq., C.M.P.E.
Principal
Searfoss & Associates, LLC
112 West Street
Annapolis, Maryland 21401
o 443-837-5548
f 443-628-9178
[email protected]