The rumors began the moment the law (ARRA) was passed in 2009, intensified as testing protocols were created, and continued through the implementation process. Some physicians simply couldn’t get past those rumors, and decided to avoid the cash incentives provided by the Meaningful Use program. An unfortunate choice. However, if you received incentive payments, the audit program is here. And with it, some unexpected confusion. The audit process is not difficult. The most important items that an auditor may initially request include proof that you owned the certified technology you purchased during the attestation period , a copy of the report you printed from your certified EHR, some screenshots, etc. But those items certainly aren’t confusing, and as an ECLIPSE user, you knew from your HELP to save such reports rather than discard them. So, where does the confusion lie? Just a few short years ago, it’s likely that you attended one or more seminars with regard to maintaining HIPAA compliance within your facility. Perhaps you received C.E. credits. Perhaps your staff attended. You learned some of the protocols you were expected to follow to ensure protection of Patient History Information (PHI). You also learned that this was an ongoing process. It’s likely you appointed a HIPAA Compliance Officer within your practice and created a HIPAA Compliance Manual at that time. Your HIPAA Compliance Manual might have contained wording to the effect of:
Risk Analysis and Management: Little Ferry Chiropractic Center (LFCC) conducts thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held in its computer systems on a regular basis. When LFCC’s Compliance Officer believes risks exist, the Compliance Officer addresses each risk and completes a mitigation report. LFCC has implemented security measures to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule. These measures are described in detail…
In other words, you’ve been doing risk assessments for years now. During attestation, for item #15, you attested that you have…
conducted a review or security analysis per 45 CFR 164.308(a)(1) and have implemented security updates as necessary, corrected security deficiencies as part of your risk management process.
Now that we’ve established that you’ve been doing this all along… let’s visit some of the protocols you’ve certainly implemented & checked in your office:
- It’s likely that you purchased, maintain a subscription to, and routinely check software from companies like Symantec to prevent malware (e.g. viruses) from entering your system.
- You routinely remind employees not to leave Post-It notes on a computer monitor with user names & passwords. And your HIPAA Compliance Officer checks this from time to time.
- If there’s a door between your waiting room and front desk, you’ve ensured that door is always locked from the waiting room side. If your front desk and charts are accessible from the waiting room, you’ve established a procedure that ensures all employees log out when they leave the desk and/or a protocol that ensures the front desk is always attended by at least one staff member.
- Within your software you’ve assigned appropriate permissions based on job title to limit access to PHI as appropriate.
- Perhaps you’ve called the HELP Desk to discuss potential security vulnerabilities and how to address them.
- You’ve ensured appropriate Windows permissions on your computers or network to limit access.
- You password protected your routers if you have a network. And if you have a wireless network in your office, you’ve also setup appropriate encryption protocols so your data can’t be intercepted.
- You’ve established backup procedures in the event of a hardware failure or natural disaster.
- If you routinely email PHI, you password protect & encrypt attachments prior to sending.
This is just a short list of many items routinely implemented & addressed in your practice as part of HIPAA compliance. During the audit process, if you’re asked to provide proof of your security risk assessment, simply provide appropriate pages from your HIPAA manual, along with the steps that are part of your daily/weekly/monthly routine (and were likely repeated at the time of attestation). You should have a signed, dated copy that corresponds to your attestation period.
Here are some related links:
- HealthIT.gov Security Risk Assessment Tools
- CMS Security Assessment Fact Sheet
- DHHS Security Risk Assessment
- DHHS Security Risk Assessment Small Provider’s Guide
And some samples: