Health Information Compliance Alert

EHRs:

Analyze Your EHR Risks -- Before CMS Does

Pinpoint your vulnerabilities with a thorough risk analysis.

The mounting scrutiny over HIPAA privacy and security enforcement -- combined with the now astronomical fines you can incur -- means that your electronic health record (EHR) system’s state of compliance is more crucial than ever before. Want to reduce your HIPAA breach dangers and gain peace of mind about your EHRs at the same time? Perform a risk analysis.

Beware: Ramped-up enforcement and higher fines, as well as a new $10,000-minimum penalty for "Willful Neglect" of compliance, are further motivation to tighten up your EHR privacy and security. The risk analysis is also mandatory under the HIPAA Security Rule’s Meaningful Use measures and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

"And risk analysis becomes a way that you prioritize the work that you need to do to improve your security," says Jim Sheldon-Dean, Director of Compliance Services for Lewis Creek Systems, LLC based in Charlotte, VT. "It’s really the cornerstone of your compliance process."

Whom Should You Involve?

You and your staff can perform the risk analysis, but beware that "the risk analysis can become quite technical," cautioned John Brewer, founder of HIPAAaudit.com in a recent EMR & HIPAA guest blog post. "So you may need to have your IT staff involved, at least in part of this analysis."

Tip: Your local regional extension center (REC) can also help -- providing tools and generally helping you to perform the risk analysis and resulting mitigation, according to the Centers for Medicare & Medicaid Services (CMS).

Don’t Make Risk Analysis Just a One-Time Thing

One of the big questions is how often you should perform a risk analysis. For sure, the risk analysis process is not a singular event -- you should do it at least once each year.

Also, you must perform another risk analysis "anytime there is a major technological or physical change," Brewer said. This may include a new EHR, a new component to your EHR system or new computer network architecture.

And if you’re participating in the EHR Incentive Program, CMS also mandates that you perform the risk analysis and risk management process "at least once prior to the beginning of the EHR reporting period."

Pay Attention to 3 Focus Areas

To perform a thorough risk analysis, you must look at key areas to reveal all the potential ways something can go wrong. Specifically, you should examine what can go wrong to affect the confidentiality, integrity or availability of the electronic protected health information (ePHI), Sheldon-Dean advises.

1. Confidentiality: Of course, your main concern when working with EHRs is protecting data from unauthorized access, breaches and leaks. When performing your risk analysis, the HHS Office of the National Coordinator for Health IT (ONC) recommends that you evaluate the following questions:

What new ePHI have EHRs introduced into my practice? Where will that ePHI reside?

Who in my office will have access to EHRs?

Should all employees have the same level of access to EHRs?

Will I allow employees to have EHRs or ePHI on their mobile computing/storage devices? If so, how can we keep the data secure on those devices?

How will I know if ePHI has been accidentally or maliciously disclosed to an unauthorized person?

When we upgrade our electronic storage equipment (e.g., internal/external hard drives), how will we ensure that ePHI is properly erased from the old storage equipment before disposing of it?

How will I ensure that backup facilities (e.g., tapes, hard drives, etc.) are secure?

Will we share EHRs, or the ePHI contained in them, with other health care entities through a Health Information Organization (HIO)? If so, what security policies do I need to be aware of?

What security requirements exist to protect my patients’ health information if my EHR system is capable of providing patients with a way to access their health record/information via the Internet, such as a portal?

Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications secured? How will I know that I’m communicating with the right patient?

2. Integrity: Another element of your EHR privacy and security is how to ensure that the data contained in the records is accurate and remains unadulterated by unauthorized users. To assess your integrity risks, the ONC recommends that you consider these questions:

Who in my office will be allowed to create or modify an EHR or the ePHI contained in it?

How will I know if someone has altered or deleted data in an EHR?

If I participate in an HIO, how will I know whether the health information I exchange is altered in an unauthorized manner?

If my EHR system allows patients to access their health record/information online, will I allow patients to modify any of the health information in their EHRs? If so, what information?

3. Availability: You may want to improve your patients’ access to their own medical records, but how can you do so without compromising security? To assess your availability risks, the ONC offers these evaluation points:

How will I ensure that ePHI, regardless of where it resides, is readily available to authorized users for authorized purposes, including after normal office hours?

Do I have a backup strategy for EHRs in the event of an emergency, power outage or computer crash?

If I participate in an HIO, does it have performance standards for network availability?

If my EHR system allows patients online access to their health records/information, will I allow 24/7 access?