Meaningful Use and

HIPAA Compliance

How Meaningful Use is Pushing You into complete HIPAA compliance

Who Am I?

John Brewer

• Medical IT

• HIPAA Compliance

• Meaningful Use Security Risk Analysis Stage 1 Core Item #15

Topics Today

• Meaningful Use Security Risk Analysis

–Stage 1 vs. Stage 2

• 5 Biggest HIPAA Mistakes

Informal Poll

• Facility size?

•How many have attested for Stage 1?

What’s the Point??

The point of HIPAA is to:

Reduce the Risk

Of a data breach

To the Practice

Fines & Penalties

• Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5)

• A data breach could put the practice out of business

• A data breach could put you in bankruptcy

Why risk this?

Summary of Fines & Penalties

Minimum: $100 per violation

Up to $25,000 in a year

Maximum: $50,000 per violation

Up to $1.5 million in a year

Why risk any of this?

Why Are We Talking Stage 1??

• A large number of facilities have not yet attested for Stage 1 Meaningful Use

• A large number of those facilities that have attested for Stage 1 Meaningful Use did not do a Risk Assessment during their 90 day window

Stage 1 Core Item #15

REQUIREMENT:

Protect Electronic Health Information Simple enough…right?

Stage 1 Core Item #15

Expanded requirement…

Stage 1 Core Item #15

Expanding even further…

Stage 1 Core Item #15

What does this mean?

• In the 90 day window of your first attestation period you must conduct a Security Risk Analysis (SRA).

• This first SRA is not expected to be perfect

Conduct or Review

What word was missing from my sentence on the previous slide?

REVIEW Many like to nit-pick this and point out

that they did a review.

Remember…what is the point of this Process?

Reduce

The Risk of a fine

To The

Practice

And YOU

Auditor Shows Up And…

Do you really want to do a “tap dance” on this point with an auditor who has the ability

to take back that check you just got?

Security Risk Analysis

• You are expected to get a “snapshot” of the risk level of your practice

• Implement a plan to fix your deficiencies

• All deficiencies should be rectified by the next SRA

Security Risk Analysis

• Subsequent SRAs must be accomplished annually

• Deficiencies discovered in each SRA are expected to be rectified by the next SRA

• No different from any other audit

Stage 1 Core Item #15

So we have to…

Why are we talking about Stage 1??

Conduct a Security Risk Analysis

Conduct a Security Risk Analysis

It’s Not That Simple

See how that one sentence, single item requirement ballooned into a huge process?

This is Another point of frustration for everyone…

Meaningful Use Risk Analysis

Stage 1 vs. Stage 2

Meaningful Use Stage 2

The focus is now on data security…specifically encryption of “at rest” data.

At Rest data is that information which is stored on a hard drive.

At Rest Data Encryption

This means the entire hard drive of your server must be encrypted

OR

The portion of your hard drive that contains PHI must be encrypted

At Rest Data Encryption

The big question going forward is who will do the encryption???

• Will the EHR vendor encrypt the data?

• Will the end user be required to encrypt the server?

5 Biggest HIPAA Mistakes

1. Old / Inadequate / Non-Existent HIPAA Policies

2. Lack of HIPAA Training

3. No Associates Agreement

4. Emailing of PHI

5. No Disaster / Contingency Operations Plan

5 Biggest HIPAA Mistakes

Old / Inadequate / Non-Existent HIPAA Policies

– Are your HIPAA policies are older than your EHR?

– Are you HIPAA policies updated annually?

If you have to hesitate to answer these questions, then the policies are too old…

5 Biggest HIPAA Mistakes

Lack of HIPAA Training

– Does your office accomplish annual HIPAA Awareness Training?

– Is it logged?

– Do you accomplish Security Reminders? • Do you know what these are??

If you have to hesitate to answer these questions, then your training is inadequate

5 Biggest HIPAA Mistakes

No Associates Agreement – Does your office have one?

– Is one on file for every consultant/contractor that has access to the back office or your computers? • Cleaning Crew

• Outsourced IT support

• EHR Vendor

• Coding consultants

– Is it renewed annually?

– OMNIBUS – what is it and what does that mean?

5 Biggest HIPAA Mistakes

Emailing of PHI

– Secure email vs Patient Portal

**WARNING: Soap Box Speech**

5 Biggest HIPAA Mistakes

No Disaster / Contingency Operations Plan

– The Cloud does not count for this

– In depth pre-planned

– During a disaster you will need guidance

– Similar to a will in that it is painful to go through the process, but you will feel great once it is complete.

Conclusion

• Meaningful Use Security Risk Analysis

–Stage 1 vs. Stage 2

• 5 Biggest HIPAA Mistakes

Questions??

JohnBrewer.me