Anesthesia Coding Alert

Pay prices upfront to avoid bigger costs later.

Many practices (or covered entities, CEs) keep in line with Privacy Rule protocols without too much trouble, but fail to implement and follow up on the guidelines that protect against Security Rule violations.

Don’t let that happen to your practice. As you wade through the ins and outs of the HIPAA Security Rule, be wary of these popular myths — identified by the Office of the National Coordinator for Health Information Technology (ONC) — so you can avoid becoming another victim.

1. Small Providers Don’t Get Risk Analyses Reprieves

Myth: I don’t need to complete a comprehensive risk analysis because we’re a small, rural provider.

Reality: All providers who qualify as CEs under HIPAA must perform a risk analysis. “Many physicians don’t understand that this is the first element in HIPAA security,” says attorney Abby Pendleton, of The Health Law Partners, PC, in Farmington Hills, Mich. “This type of risk analysis is the starting point to find potential vulnerabilities and then put into place the appropriate safeguards. It is the stepping stone to implement HIPAA, but not enough practitioners do it.”

Tip: You may want to back up your risk analysis with documentation that includes your plans for addressing risks and fixing issues. Why? It’s the first thing the HHS Office for Civil Rights (OCR) will ask for if you have a HIPAA data breach. Plus, the PI Security Assessment is the most audited Merit-Based Incentive Payment Systems (MIPS) measure, according to Cherie Kelly-Aduli, CEO of QPP Consulting Group in Mandeville, La.

2. Use of CEHRT Does Not Translate to Compliance

Myth: We’re compliant as long as we use some kind of Certified EHR Technology (CEHRT).

Reality: “Even with a certified EHR, you must perform a full security risk analysis,” reminds the ONC. “Security requirements address all electronic protected health information you maintain, not just what is in your EHR.”

Advice: It’s not only important that you do a risk analysis, but it’s also critical that you update your EHR if you want to keep those federal incentives coming. In a nutshell, MIPS eligible clinicians (ECs) as well as Medicare-eligible hospitals, dual-eligible hospitals, and critical access hospitals (CAHs) are required to use 2015 Edition CEHRT in 2019 attestations and PI submissions.

3. It’s Not Your Vendors’ Responsibility to Keep You Compliant

Myth: My EHR vendor is in charge of my HIPAA security compliance.

Reality: Unfortunately, you cannot buy HIPAA compliance. If a third-party vendor says its encryption product is “HIPAA compliant,” that company is simply telling you that the product fulfills the HIPAA encryption guidelines for stored data and data over networks.

Just because an encryption product meets HIPAA’s data encryption guidelines does not mean that you’re ultimately complying with the HIPAA Security Rule simply by using the product. In terms of encryption, the Security Rule standard states that you must “implement a mechanism to encrypt and decrypt electronic protected health information.”

What to do: This standard is “addressable,” meaning that you must carefully analyze your organization’s operations to determine what type of encryption product is “reasonable and appropriate” for your business. You must base your analysis on a variety of factors related to your organization, such as:

• Your organization’s size, complexity, and capabilities;
• Your organization’s technical infrastructure, hardware and software security capabilities;
• The costs of encryption measures; and
• The probability and criticality of potential risks to ePHI.

4. HIPAA Security Rule Compliance Is Worth Every Penny

Myth: Why should I put money aside for HIPAA security? As a small provider, my chances of a data breach are non-existent.

Reality: Oftentimes, small businesses are the hardest hit because they don’t allocate funds to manage their data security risks upfront, and the price to recover from incidents can be crippling, suggests the report. That’s why it’s important for organizations, big and small, to invest in security planning and use the information they get from assessing their risks to protect patients’ ePHI as well as their bottom lines.

“Healthcare has traditionally been less sophisticated when it comes to information security … [but] now is the time to get serious about protecting systems, because lives and institutions are at stake,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vt.

Final note: “The risk analysis process should be ongoing,” explains OCR guidance. “In order for an entity to update and document its security measures ‘as needed,’ which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.”