Inpatient Facility Coding & Compliance Alert

Perform a risk analysis and rule out your vulnerabilities.

The compliance status of your electronic health record (EHR) system has become more crucial than ever before. Reduce your Health Insurance Portability and Accountability Act (HIPAA) breach dangers and gain peace of mind about your EHRs at the same time by performing a thorough risk analysis.

Beware: Ramped-up enforcement and higher fines, as well as a new $10,000-minimum penalty for “Willful Neglect” of compliance, are further motivation to tighten up your EHR privacy and security. The risk analysis is also mandatory under the HIPAA Security Rule’s Meaningful Use measures and the Health Information Technology for Economic and Clinical Health Act.

“And risk analysis becomes a way that you prioritize the work that you need to do to improve your security,” says Jim Sheldon-Dean, Director of Compliance Services for Lewis Creek Systems, LLC based in Charlotte, VT. “It’s really the cornerstone of your compliance process.”

Who You Should Involve

You and your staff can perform the risk analysis, but beware that “the risk analysis can become quite technical,” cautions John Brewer, founder of HIPAAaudit.com in a recent EMR & HIPAA guest blog post. “So you may need to have your IT staff involved, at least in part of this analysis.”

Tip: Your local regional extension center can also help — providing tools and generally helping you to perform the risk analysis and resulting mitigation, according to the Centers for Medicare & Medicaid Services.

One of the big questions is how often you should perform a risk analysis. For sure, the risk analysis process is not a singular event — in fact, you should do it at least once per year.

Also, you must perform another risk analysis “anytime there is a major technological or physical change,” Brewer says. This may include a new EHR, a new component to your EHR system or new computer network architecture.

Pay Attention to 3 Focus Areas

To perform a thorough risk analysis, you must look at key areas to reveal all the potential ways something can go wrong. Specifically, you should examine what can go wrong to affect the confidentiality, integrity or availability of the electronic protected health information, Sheldon-Dean advises.

1. Confidentiality: Of course, your main concern when working with EHRs is protecting data from unauthorized access, breaches and leaks. When performing your risk analysis, the HHS Office of the National Coordinator for Health IT recommends that you evaluate the following questions:

• What new ePHI have EHRs introduced into our facility?  Where will that ePHI reside?
• Who will have access to EHRs?
• Should all employees have the same level of access to EHRs?
• Will I allow employees to have EHRs or ePHI on their mobile computing/storage devices? If so, how can we keep the data secure on those devices?
• How will I know if ePHI has been accidentally or maliciously disclosed to an unauthorized person?
• When we upgrade our electronic storage equipment (e.g., internal/external hard drives), how will we ensure that ePHI is properly erased from the old storage equipment before disposing of it?
• How will I ensure that backup facilities (e.g., tapes, hard drives, etc.) are secure?
• Will we share EHRs, or the ePHI contained in them, with other health care entities through a Health Information Organization (HIO)? If so, what security policies do I need to be aware of?
• What security requirements exist to protect my patients’ health information if my EHR system is capable of providing patients with a way to access their health record/information via the Internet, such as a portal?
• Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications secured? How will I know that I’m communicating with the right patient?

And don’t forget: Your facility’s copy machines could be risk magnets. Large copiers have hard disk drives that often store a great deal of information, including ePHI, cautions Duane Abbey, Ph.D., president of Abbey and Abbey Consultants, Inc., in Ames, Ia. “When copy machines are decommissioned, the hard drives should be removed or erased.”

2. Integrity: Another element of your EHR privacy and security is how to ensure that the data contained in the records is accurate and remains unadulterated by unauthorized users. To assess your integrity risks, the ONC recommends that you consider these questions:

• Who will be allowed to create or modify an EHR or the ePHI contained in it?
• How will I know if someone has altered or deleted data in an EHR?
• If I participate in a HIO, how will I know whether the health information I exchange is altered in an unauthorized manner?
• If my EHR system allows patients to access their health record/information online, will I allow patients to modify any of the health information in their EHRs? If so, what information?

3. Availability: You may want to improve your patients’ access to their own medical records, but how can you do so without compromising security? To assess your availability risks, the ONC offers these evaluation points:

• How will I ensure that ePHI, regardless of where it resides, is readily available to authorized users for authorized purposes, including after normal office hours?
• Do I have a backup strategy for EHRs in the event of an emergency, power outage or computer crash?
• If I participate in a HIO, does it have performance standards for network availability?
• If my EHR system allows patients online access to their health records/information, will I allow 24/7 access?