PRIVACY, SECURITY AND MEANINGFUL USE Is your practice compliant?
ABOUT SEARFOSS & ASSOCIATES With more than 15 years of experience in the health care industry, Searfoss & Associates, LLC offers legal services to individual and group health care providers and integrated health systems. The Firm is led by Principal Jennifer Searfoss, a nationally recognized advocate for medical practices and well-known public speaker. Searfoss & Associates, LLC is conveniently located in Annapolis, only blocks from the State’s capital building.
I.Overview of the requirements; recent breaches and fines II.History of the privacy and security requirements a.HIPAA b.Meaningful use III.Components of a compliance plan a.Policies b.Audit/risk assessment c.Take action – fix the problem(s) IV.What an audit looks like V.You found a problem, now what? VI.The new audit era: CMS and RACs for meaningful use AGENDA
Appreciate the federal regulations and requirements for keeping health information private and secure Clarify how the meaningful use guidelines impact privacy and security protections Evaluate your privacy and security policies for areas of improvement and training Identify opportunities in your practice’s audit functions to inspect computers and systems for protections Establish an action plan for privacy or security breeches OBJECTIVES
GETTING STARTED Overview of the requirements Recent breaches and fines History of the privacy and security requirements HIPAA and Meaningful Use
Privacy Administrative mechanisms that govern the appropriate use and access to data Not all employees need to know everything about a patient Don’t send the full medical record to a health plan for a request for clinical documentation Security Technical mechanisms to ensure privacy Don’t have a fax machine that receives personal information in a public place Encrypt electronic communications PRIVACY VS. SECURITY
Mandated in HIPAA You know it for the requirement to post your privacy practices and receive a patient attestation Includes “covered entities” which requires electronic transactions for claims or eligibility Penalties for HIPAA breach When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000 annually. Now, the maximum penalty under HITECH is $1.5 million per calendar year. Civil penalties after Feb. 18, 2009 range from $100 to $50,000 per violation. Criminal penalties for intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm is up to 10 years jail time and $250,000. PRIVACY AND SECURITY
April 17: $100,000 in fines for physician practice posting clinical and surgical appointments for patients on an Internet-based public calendar March 13: $1.5 mil for 57 stolen unencrypted hard drives (first HITECH breach report enforcement action) Feb. 24, 2011: $1 mil for lost records on subway for 192 infectious disease patients including HIV patients Feb. 22, 2011: $1.3 mil for denial of 41 patients to their medical records; $3 mil in civil monetary penalty for willful neglect to cooperate during investigation RECENT BREACHES AND FINES
Privacy policy and procedures Appointed privacy officer Staff training Mitigation and data safeguards Documentation Complaints WHAT’S REQUIRED
Objective 15: Mandatory completion (no exclusions) (i) Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. MEANINGFUL USE – STAGE ONE
A covered entity must: (i) Implement policies and procedures to prevent, detect, contain and correct security violations (ii) Implementation specifications: (A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity (B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (C) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports 45 CFR (A)(1)
COMPONENTS OF A COMPLIANCE PLAN Policies Audit/risk assessment Take action – fix the problem(s)
PRIVACY AND SECURITY POLICIES Policies to prevent, detect, contain and correct security violations Must be in writing Should be reviewed periodically by physician board A number of off the shelf-products work for medical offices Remember to fill in information specific for your practice Cannot just write it and not implement it Appoint security/privacy officer Train personnel Accept complaints Audit
AUDIT/RISK ASSESSMENT Workgroup for Electronic Data Interchange developed a model audit My office has formal, written policies and we train all staff on policies at hiring and then periodically thereafter. We do not use a sign in sheet that includes confidential patient information. All confidential conversations take place, to the extent possible, in areas that cannot be overheard by other patients or non-staff individuals. Patients and non-staff cannot gain access to computers or faxes and cannot see computer screens. Each computer has a personal password which changes on a regular basis. Terminated employee passwords are eliminated immediately. There is a list of all computers, systems and other technology as well as documented permission levels for each staff person and we audit the logs and technology periodically.
TAKING ACTION Your action to problems should be included in the policies and procedures. Include type of action, who is involved, final decision-makers and timeframes for action. Patient complaints Personnel complaints Audit results Software updates and upgrades
Follow the process established in your policy May be conducted in-house Document: When process began What was audited How it was audited Results and risk areas Mitigation and corrective actions taken on results WHAT AN AUDIT LOOKS LIKE
Section of Health Information Technology for Economic and Clinical Health Act (HITECH; included in the American Recovery and Reinvestment Act of 2009; P.L ) requires breach reporting. “A covered entity that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured” PHI shall Notify each individual within 60 days whose unsecured PHI has been or is reasonable believed to have been accessed, acquired or disclosed HHS and media notice for breaches of more than 500 individuals HHS notice for breaches of less than 500 individuals may be logged and reported annually YOU FOUND A PROBLEM, NOW WHAT?
Appoint a security/privacy officer Develop policies and review them Implement administrative permissions; review and update them periodically Training for staff Business associate agreements with everyone touching PHI Passwords must expire All machines must have timeouts with passwords Networks, including patient wifi, must be isolated Data encrypted Records destroyed NORMAL PROBLEMS – NO BREECH
April report by the General Accounting Office to Congress recommended: CMS should establish timeframes evaluating the effectiveness of its Medicare EHR incentives audit strategy CMS should request more information from Medicare providers during the attestation process CMS should evaluate extent to which it should conduct more verifications on a prepayment basis CMS should consider collecting meaningful use attestations from Medicaid providers on behalf of the states THE NEW AUDIT ERA
One deficiency in meeting a required Meaningful Use measure will result in a finding of non-compliance and CMS will move to recoup the entire incentive payment. Keep hard copies or digital copies of any reports you relied on to document meaningful use compliance Document the reasons for claiming an exemption from any meaningful use measures that do not apply to your organization or practice If you rely on the FAQs interpreting meaningful use questions on the CMS website, keep a dated copy of the FAQ content with your other meaningful use documentation. CMS does not maintain date stamps on FAQs. As content changes, don’t be stuck with the government’s change in interpretation Use your terms, not vender terms or health care lingo. The auditors may not know health care or your software. If you must, stick to IT industry terms. PREPAREDNESS
QUESTIONS Jennifer Searfoss, Esq., C.M.P.E. Principal Searfoss & Associates, LLC 112 West Street Annapolis, Maryland o f