Financial penalties for HIPAA violations. How real are they? How about a recent $4.3 million civil penalty faced by Cignet Health of Prince George’s County, Maryland; or the also recent $1 million settlement for Massachusetts General Hospital? Are those figures and outcomes real enough as you consider the value of HIPAA Compliance?
Included in the EHR and technology discussions so common in healthcare today are the well publicized HITECH incentives. These incentives are scheduled to be paid to eligible providers who are able to demonstrate compliance with meaningful use of their certified EHR system. And these EHR incentive payments are starting to be paid right about now for Medicare, and earlier this year for Medicaid. However, part of complying with meaningful use includes the completion of a HIPAA risk assessment either done by the medical provider, or by a qualified professional on the provider’s behalf. What’s more, this assessment is not just a one-time review showing that your EHR system and technology usage is HIPAA compliant; the meaningful use criteria requires periodic HIPAA risk assessments as well.
A HIPAA assessment must include both Privacy and Security Rules
Straight from Health and Human Services (HHS), HIPAA calls, “… for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. The Administrative Simplification Regulations have been developed to implement these statutory provisions.”
Within these provisions there are details that address the protecion of individuals’ medical records and other personal health information, be they paper or electronic, gives patients rights over their health information, and requires appropriate (1) administrative, (2) physical, and (3) technical safeguards … and more.
A few sample items included in a HIPAA privacy rule assessment include:
- Privacy & Confidentiality
- Notice of Privacy Practices
- Employee Training
- Access to PHI
- Business Associate contracting activities and BA Agreements in use
A few sample items included in a HIPAA security rule assessment include:
- Security Management
- Worker Sanctions
- Workforce Clearance/Termination Procedures
- Authorization and Supervision of Access to ePHI
- Log-in Monitoring
- Password Management
- Security Incidents
- Protection from Mal-ware
- Risk Analysis/Vulnerability Assessment
- Contingency Planning
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
- Facility Access Controls; recommend changes/updates;
- Workstation Use/Security Policies and practices
- Technical (administrative) policies to manage PHI access ( User ID, Emergency Access, Auto Log-off, Encryption)
- Breach Notification Plan/Procedures
As stated, these are just some samples to give a sense of what the Fed’s expectations are. We have a more extensive list, and additional information addressing what all is entailed when analyzing a healthcare organization’s compliance with HIPAA privacy and security rules elsewhere on this site that you may wish to review.
So whether you’re hoping to qualify for EHR incentives, want to do things right and comply with HIPAA regulations, or are just trying to avoid hefty penalties for infractions, it’s advisable to pursue a risk assessment … and to do it NOW if you haven’t already.