PRIVACY, SECURITY AND MEANINGFUL USE Is your practice compliant?

PRIVACY, SECURITY AND MEANINGFUL USEIs your practice compliant?

ABOUT SEARFOSS & ASSOCIATES

With more than 15 years of experience in the health care industry, Searfoss & Associates, LLC offers legal services to individual and group health care providers and integrated health systems. The Firm is led by Principal Jennifer Searfoss, a nationally recognized advocate for medical practices and well-known public speaker.

Searfoss & Associates, LLC is conveniently located in Annapolis, only blocks from the State’s capital building.

I. Overview of the requirements; recent breaches and fines

II. History of the privacy and security requirements

a. HIPAAb. Meaningful use

III. Components of a compliance plan

a. Policiesb. Audit/risk assessmentc. Take action – fix the problem(s)

IV. What an audit looks like

V. You found a problem, now what?

VI. The new audit era: CMS and RACs for meaningful use

AGENDA

• Appreciate the federal regulations and requirements for keeping health information private and secure

• Clarify how the meaningful use guidelines impact privacy and security protections

• Evaluate your privacy and security policies for areas of improvement and training

• Identify opportunities in your practice’s audit functions to inspect computers and systems for protections

• Establish an action plan for privacy or security breeches

OBJECTIVES

GETTING STARTEDOverview of the requirements

Recent breaches and fines

History of the privacy and security requirements

HIPAA and Meaningful Use

Privacy

• Administrative mechanisms that govern the appropriate use and access to data

• Not all employees need to know everything about a patient

• Don’t send the full medical record to a health plan for a request for clinical documentation

Security

• Technical mechanisms to ensure privacy

• Don’t have a fax machine that receives personal information in a public place

• Encrypt electronic communications

PRIVACY VS. SECURITY

• Mandated in HIPAA

• You know it for the requirement to post your privacy practices and receive a patient attestation

• Includes “covered entities” which requires electronic transactions for claims or eligibility

• Penalties for HIPAA breach

• When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000 annually. Now, the maximum penalty under HITECH is $1.5 million per calendar year.

• Civil penalties after Feb. 18, 2009 range from $100 to $50,000 per violation.

• Criminal penalties for intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm is up to 10 years jail time and $250,000.

PRIVACY AND SECURITY

• April 17: $100,000 in fines for physician practice posting clinical and surgical appointments for patients on an Internet-based public calendar

• March 13: $1.5 mil for 57 stolen unencrypted hard drives (first HITECH breach report enforcement action)

• Feb. 24, 2011: $1 mil for lost records on subway for 192 infectious disease patients including HIV patients

• Feb. 22, 2011: $1.3 mil for denial of 41 patients to their medical records; $3 mil in civil monetary penalty for willful neglect to cooperate during investigation

RECENT BREACHES AND FINES

• Privacy policy and procedures

• Appointed privacy officer

• Staff training

• Mitigation and data safeguards

• Documentation

• Complaints

WHAT’S REQUIRED

Objective 15: Mandatory completion (no exclusions)

(i) Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

(ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

MEANINGFUL USE – STAGE ONE

A covered entity must:

(i) Implement policies and procedures to prevent, detect, contain and correct security violations

(ii) Implementation specifications:

(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity

(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

(C) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

(D) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports

45 CFR 164.308(A)(1)

COMPONENTS OF A COMPLIANCE PLANPoliciesAudit/risk assessmentTake action – fix the problem(s)

PRIVACY AND SECURITY POLICIES

Policies to prevent, detect, contain and correct security violations

• Must be in writing

• Should be reviewed periodically by physician board

• A number of off the shelf-products work for medical offices

• Remember to fill in information specific for your practice• Cannot just write it and not implement it

• Appoint security/privacy officer• Train personnel• Accept complaints• Audit

AUDIT/RISK ASSESSMENT

Workgroup for Electronic Data Interchange developed a model audit• My office has formal, written policies and we train all staff on

policies at hiring and then periodically thereafter.• We do not use a sign in sheet that includes confidential patient

information.• All confidential conversations take place, to the extent possible,

in areas that cannot be overheard by other patients or non-staff individuals.

• Patients and non-staff cannot gain access to computers or faxes and cannot see computer screens.

• Each computer has a personal password which changes on a regular basis. Terminated employee passwords are eliminated immediately.

• There is a list of all computers, systems and other technology as well as documented permission levels for each staff person and we audit the logs and technology periodically.

TAKING ACTION

Your action to problems should be included in the policies and procedures. Include type of action, who is involved, final decision-makers and timeframes for action.

• Patient complaints

• Personnel complaints

• Audit results

• Software updates and upgrades

• Follow the process established in your policy

• May be conducted in-house

• Document:

• When process began• What was audited• How it was audited• Results and risk areas• Mitigation and corrective actions taken on results

WHAT AN AUDIT LOOKS LIKE

Section 13402 of Health Information Technology for Economic and Clinical Health Act (HITECH; included in the American Recovery and Reinvestment Act of 2009; P.L. 111-5) requires breach reporting.

“A covered entity that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured” PHI shall

• Notify each individual within 60 days whose unsecured PHI has been or is reasonable believed to have been accessed, acquired or disclosed

• HHS and media notice for breaches of more than 500 individuals

• HHS notice for breaches of less than 500 individuals may be logged and reported annually

YOU FOUND A PROBLEM, NOW WHAT?

• Appoint a security/privacy officer

• Develop policies and review them

• Implement administrative permissions; review and update them periodically

• Training for staff

• Business associate agreements with everyone touching PHI

• Passwords must expire

• All machines must have timeouts with passwords

• Networks, including patient wifi, must be isolated

• Data encrypted

• Records destroyed

NORMAL PROBLEMS – NO BREECH

April report by the General Accounting Office to Congress recommended:

• CMS should establish timeframes evaluating the effectiveness of its Medicare EHR incentives audit strategy

• CMS should request more information from Medicare providers during the attestation process

• CMS should evaluate extent to which it should conduct more verifications on a prepayment basis

• CMS should consider collecting meaningful use attestations from Medicaid providers on behalf of the states

THE NEW AUDIT ERA

One deficiency in meeting a required Meaningful Use measure will result in a finding of non-compliance and CMS will move to recoup the entire incentive payment.

• Keep hard copies or digital copies of any reports you relied on to document meaningful use compliance

• Document the reasons for claiming an exemption from any meaningful use measures that do not apply to your organization or practice

• If you rely on the FAQs interpreting meaningful use questions on the CMS website, keep a dated copy of the FAQ content with your other meaningful use documentation.

• CMS does not maintain date stamps on FAQs. As content changes, don’t be stuck with the government’s change in interpretation

• Use your terms, not vender terms or health care lingo. The auditors may not know health care or your software. If you must, stick to IT industry terms.

PREPAREDNESS

QUESTIONS

Jennifer Searfoss, Esq., C.M.P.E.Principal

Searfoss & Associates, LLC112 West StreetAnnapolis, Maryland 21401o 443-837-5548f [email protected]