Gastroenterology Coding Alert

Find out how to avoid this gastroenterologist’s fate by understanding the steps you must take.

Has your gastroenterology practice ever performed a risk analysis? If not, you could be flushing a six-figure check down the drain. That’s how much money one GI physician had to pay to the Office of Civil Rights (OCR) after the government determined he didn’t implement adequate security measures.

Background: On March 3, the Department of Health and Human Service (HHS) announced that a Utah gastroenterologist had agreed to pay $100,000 to settle a potential violation of the HIPAA rule. The practice had filed a breach report with the OCR following a dispute with a business associate, but during an investigation, the OCR found that the practice had never performed a risk analysis following the breach, nor did the gastroen­terologist implement security measures that would allow him to reduce his future risks and vulnerabilities.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino in a news release about the settlement. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” he said.

Here’s How to Avoid That Physician’s Fate

Risk analysis “is one of four required implementation specifications” in the Security Rule, HHS says. Practices are required to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

Although the HIPAA Security Rule does not specifically mandate how you must perform the risk analysis, both CMS and OCR offer the following steps as a template to develop your own process.

1. Identify the scope: Your risk analysis should encompass all the potential risks and vulnerabilities to all the protected health information (PHI) that your practice creates, receives, maintains, or transmits. This includes all PHI and electronic PHI (ePHI) in all forms of media, which can include paper documents, CDs, hard drives, mobile devices, transmission media, electronic storage media, and much more.

2. Gather data: Begin compiling data on where you store, receive, maintain, or transmit PHI. You may need to look at more than a single department — check out any data exchanges between vendors and business associates, as well as any PHI in different physical locations or electronic media. Also, you must document how, when, and what data-gathering activities you performed.

3. Identify and document potential threats and vulner­abilities: You’re not looking for any and all conceivable threats, but instead you should identify and document all “reasonably anticipated” threats. Examine threats based on these categories:

• Natural — Floods, earthquakes, tornadoes, landslides
• Human — Intentional or unintentional actions (e.g., unauthorized access to ePHI network and computer-based attacks, malicious software upload, inadvertent data entry or detection, inaccurate data entry)
• Environmental — Power failures, pollution, chemicals, liquid leakage

4. Assess current security measures: Compare your existing security measures with the potential threats and vulnerabilities you’ve identified. Evaluate all your security measures (technical and non-technical), such as your access controls, authentication, encryption methods, automatic logoff, and audit controls, as well as your policies, procedures, guidelines, accountability, and responsibility, and physical and environmental security measures.

5. Determine the likelihood of threat occurrence: Weigh the probability that a threat will trigger or exploit a particular vulnerability, and then estimate the potential impact on your organization. Categorize each specific threat as “high likelihood,” “medium likelihood,” or “low likelihood.” Use your determinations to create a list prioritizing your risk mitigation efforts.

6. Determine the potential impact of threat occurrence: Estimate the possible threat’s potential outcome or impact. This may include unauthorized access to or disclosure of ePHI; permanent loss or corruption of ePHI; temporary loss or unavailability of ePHI; loss of physical assets; or loss of cash flow. Similar to ranking likelihood, organize the potential impacts as “low,” “medium,” and “high.”