Medicare Compliance & Reimbursement

Tip: Outline your plan in writing now to protect yourself later.

According to the HHS-OCR breach portal, 2017 is turning out to be a banner year with 84 breaches reported so far, impacting over 1,730,000 people since Jan. 1. With odds like these for just the first quarter alone, it’s time to accept that HIPAA breaches big and small happen — no matter how thorough the compliance plan. Visit the HHS-OCR breach portal at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Here’s the Problem

Many practices are making an effort to follow the HIPAA Privacy Rule to the letter but that doesn’t always translate to the Security Rule, which requires a more in-depth understanding of patient protection. And if you don’t analyze your security and implement properly, you run the risk of a breach, followed by an audit, and a significant amount of lost time and money.

Context: The HIPAA Security Rule is a multi-layered regulation that requires analysis and management of your policies, procedures, and health IT systems in order to protect PHI and ePHI. And if you are audited, you must show that you’ve met the administrative, physical, and technical safeguards outlined in the rule — meeting both the federal and state mandates. For a refresher on the rule, visit https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/.

Caveat: So, what happens to the practitioner who protects patient privacy by following the HIPAA Privacy Rule to the letter but doesn’t meet the demands of the Security Rule? “Oftentimes these providers are doing a good job with the Privacy Rule,” notes Brand Barney, CISSP, HCISPP, QSA, security analyst with Security Metrics in Orem, UT. “And they think they’re compliant and in 100 percent of the cases I’ve seen that is not what I uncover.”

What happens is they invest in advertised HIPAA-compliant solutions that they’ve seen at a conference, in an email plug, or on a webinar and assume they are now in compliance, Barney suggests. “But 9 times out of 10 that is patently false. Those tools are fantastic but are dependent on you [the staff] using them properly,” he points out.

Consider this: Doing an internal risk assessment is a good place to start and will help you determine where your practice is the most vulnerable. Take a look at these five areas where Barney sees practices losing ground in the healthcare compliance and security game:

1. Human Error: Most violations are caused by staff, who accidentally expose PHI or ePHI due to a lack of education on HIPAA security. “Fix your people. They are prone to human error,” Barney recommends. “You can buy a super cool product [CEHRT], but unfortunately your people don’t know how to use it.” And that’s a problem, especially if you’ve invested a lot of money in health IT products that your staff doesn’t know how to utilize.

2. Configurations: Once you get past the privacy part, security is about properly configuring your system. “The tools aren’t necessarily plug-in and play. A lot of these devices come with defaults to allow access to networks, but proper configuration of them is massively important,” Barney advises. “It can be as simple as a well-configured firewall that stops attackers from accessing your PHI.”

3. Logging and Monitoring: This area of the HIPAA security rule is critical and often overlooked or not properly followed. “Practices should be looking at the integrity of the systems; oftentimes they don’t,” Barney mentions. And if you don’t, “How do you know when there’s a problem?”

For example: “They [systems] continue to blast with alerts but the staff has no training. They find it too noisy and turn it off. So when there’s a real breach they have no idea,” Barney cautions. “If you have no logging and monitoring mechanisms, you are in deeper than you want to be.” He adds, “I can’t stress this piece enough. Properly log and monitor your networks and systems. Attackers are banking on you having no insight, then they walk away with your data, and you are none the wiser.”

4. Business Associates: “You should consider all vendors and business associates that can impact the PHI/ePHI environment,” Barney says. “It is easy to identify that you share data with a billing service provider, but are you identifying that HVAC vendor that has remote access to your networks?”

Planning a business associate agreement is more than just the paperwork — all parties that create, receive, transmit, and maintain your practice PHI and/or ePHI must be included, he adds. “Once you have identified them you should consider processes for them to demonstrate that they are truly handling your security and their own in a satisfactory method.”

5. Policies and Procedures: After you’ve assessed, analyzed, and implemented security to comply with HIPAA, you must prove it in writing. “Documentation is key,” Barney says. And before they investigate your breach “the OCR will say, ‘Shoot us your policies and procedures.’ And they are going to go in with the assumption that you’ve done nothing, especially if you have no documentation.”

Moreover, “privacy is usually documented quite well by most practices. But when it comes to detailing policies and procedures for the HIPAA Security Rule — items like incident response plan, encryption, firewall configuration standards, emergency mode operations — entities are negligent.” he notes.

Remember: Steep penalties may ensue if you don’t have your ducks in a row. “Through recent settlements, the OCR has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals or the content of the protected health information included in a particular breach,” reminds attorney John E. Morrone, Esq, a partner at Frier Levitt Attorneys at Law in Pine Brook, NJ.