RIGHT TO ACCESS AND

SECURITY RISK ANALYSIS

K a t h r y n A y e r s W i c k e n h a u s e r ,M B A , C H P C , C H T S

WHAT WE’LL COVER

HHS FAQ Overview

Authorization vs Right to Access

Record Formats & Delivery Methods

Reasonable, cost-based fee*

Third-Party Direction

Examples

RIGHT TO ACCESS

EXAMPLES

EXAMPLES

EXAMPLES

DATAFILETECHNOLOGIES.COM | 816.437.9134

CULTIVATING & CONNECTING HEALTHCARE EXPERTS

FEBRUARY 25, 2016Emphasizes a patient’s right to receive a

copy of their medical information

RIGHT TO ACCESS

DATAFILETECHNOLOGIES.COM | 816.437.9134

CULTIVATING & CONNECTING HEALTHCARE EXPERTS

RELEASED HHS FAQ

Delivery formats of PHI

Reasonable, cost-based fee for

information

Right to transmit information to a

third party

RIGHT TO ACCESS

45 CFR 164.508

Disclosure of PHI outside of T/P/O

and the Privacy Rule

Permits disclosure

Required Elements:

• Description of PHI• Entity authorized to release• Entity authorized to receive• Description of purpose of

disclosure• Expiration date• Signature and date• Statements, like Right to Revoke

45 CFR 164.524

The right of an individual or personal

representative to obtain records

Requires disclosure, except with

exception

Designated Record Set

Is not always required to be in writing

• Notice of Privacy Practices

Without unreasonable delay

AUTHORIZATION vs RIGHT TO ACCESS

WHAT’S THE DIFFERENCE?

EXAMPLES

RECORD PRODUCTION

Paper

• If maintained electronically, CE expected to deliver requested

information on paper

Electronic

• If maintained electronically, CE expected to deliver if readily producible

• If requested format not available, access should be provided and

agreed upon to another format

RIGHT TO ACCESS

RECORD PRODUCTION

Electronic

• Email is okay

– Secure

– Unsecure: Patient must acknowledge and sign off on the risks and procedure should be addressed in your Security Risk Analysis

• Assumed all CEs can produce PHI this way

– Exception: file size too large

RIGHT TO ACCESS

EXAMPLES

DATAFILETECHNOLOGIES.COM | 816.437.9134

CULTIVATING & CONNECTING HEALTHCARE EXPERTS

HHS / OCR believes this is the fast and cheap way…

Prevalence of EHR systems

Patient Portal Access

Another means to foster communication between providers

• DIRECT

• HIEs

• HISPs

Structured Data

WHY AN ELECTRONIC EMPHASIS?

REASONABLE, COST-BASED FEE*

RIGHT TO ACCESS

Labor for copying the PHI

Supplies for creating the copy

or electronic media

Postage where applicable

Preparation of a Summary of

the PHI where applicable

*Anyone else think a few costs are missing?

This is after the PHI relevant to the request has been…

• Identified

• Retrieved or collected

• “Ready to be copied”

Specifically does not include…

• Reviewing the request for Access

• Searching for, locating, reviewing the PHI

• Segregating PHI

Can only charge for “copying”

RIGHT TO ACCESS

REASONABLE, COST-BASED FEE*

Three methods allowed to determine cost

Average Cost

• Fee schedule

Actual Cost

• Determine cost each and every time?

Flat Fee

• Electronic cost suggested fee

• May 2016 clarification

RIGHT TO ACCESS

REASONABLE, COST-BASED FEE*

CULTIVATING & CONNECTING HEALTHCARE EXPERTS

DATAFILETECHNOLOGIES.COM | 816.437.9134WHY DATAFILE?*Electronic copies do not allow for per page fees…

THIRD PARTY DIRECTION

“Right to Access” allows patients to direct that their PHI be sent to a third party

• Examples given in the guidance

– Another Provider

– Researcher

– Consumer Tool

Requests may look similar to Authorizations

• Do they have a patient directive?

– Yes likely a Right to Access request

– No likely an Authorization

RIGHT TO ACCESS

The recent guidance has created confusion.

Limitations on where and to whom these records

can go are not established.

MUDDIED WATERS

THIRD PARTY DIRECTION

Increased prevalence of attorneys utilizing Right to Access Requests

• Patient letter – “I authorize”

• “The Kitchen Sink” approach

• Cite HITECH

• Direct the format outside of the patient letter

Why the increase?

RIGHT TO ACCESS

EXAMPLES

AUTHORIZATION RIGHT TO ACCESS

EXAMPLES

AUTHORIZATION RIGHT TO ACCESS

EXAMPLES

IS THIS SUFFICIENT FOR RIGHT TO ACCESS?

WHAT:S NEXT?

JUST BECAUSE YOU CAN DOESN’T MEAN YOU SHOULD

WHAT:S NEXT?

WHAT WE’LL COVER

What is a Security Risk Analysis (SRA)?

Who needs a SRA?

Why is a SRA important for my practice?

Which items need to be documented?

Where do I go from here?

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS

BUT FIRST…

Risk Analysis

Security Rule

Security Risk Analysis is the

preferred terminology when

discussing SRA

Risk Assessment

Privacy Rule, Breach

Notification Rule

Often used interchangeably

with Security Risk Analysis

ASSESSMENT VERSUS ANALYIS

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS

HEALTHCARE’S VERSION OF TAXES…

THINK ABOUT TAX SEASON…

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS

WHO DO YOU TRUST?

THREAT

ASSETVULNERABILITY

Security Risk Analysis

required by HIPAA,

Meaningful Use, and now

MIPS

Like taxes, do you do your

SRA in house, or trust a

professional?

RISK

SECURITY RISK ANALYSIS

WHAT IS A SECURITY RISK ANALYSIS?

(Besides another item on your to do list annually)

SECURITY RISK ANALYSIS

WHAT IS A SECURITY RISK ANALYSIS?

An analysis of HIPAA in your practice

Comprehensive assessment to document / work towards HIPAA

compliance

Should be done on an annual basis

Must have an associated Work Plan to remediate any deficiencies

that are found

Hardest part of Risk Analysis is to review IT infrastructure to

determine where PHI could be at risk

SECURITY RISK ANALYSIS

WHO NEEDS A SECURITY RISK ANALYSIS?

COVERED ENTITY

• PROVIDER

• PAYMENT

• PLAN / PAYER

BUSINESS ASSOCIATE

• WHO ACCESSES PHI?

• RELEASE OF INFORMATION

• ATTORNEY

• OTHERS

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk analysis of their healthcare organization. A risk analysis helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS DEFINITION

SECURITY RISK ANALYSIS

MEANINGFUL USE

Meaningful Use requires a SRA

Stage 1 – Core 15 / Core 13“Protect health information”

Stage 2 – Core 9“Protect health information”

Stage 3 – Measure 1“Protect electronic patient health information”

MU

MACRA & MIPS

MIPS requires a SRA

Advancing Care InformationReceive 0 points for the category if no SRALoss of 25% of your overall score!

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS

WHY IS A SRA IMPORTANT FOR ME?

(Do you like paying government fines?)

SECURITY RISK ANALYSIS

MEANINGFUL USE AUDITS

Audits targeted at up to 20% (1 in 5) of eligible providers

Either Pre or Post payment of incentive funds

Failed audits trigger additional audits for other years and providers

Most failed measure: SRA

Consider a Mock Audit as a “health check”

Still happening even though Medicare program is over!

Expect we will see similar audits under MIPS

SECURITY RISK ANALYSIS

HIPAA ENFORCEMENT

HIPAA Regulations are enforced by HHS-OCR

Enforcement Activities2015 Random Audit ProgramBreach Investigations

Covered entitiesBusiness Associates

Complaint InvestigationsDissatisfied patientsDisgruntled employees

SECURITY RISK ANALYSIS

HIPAA AUDITS

“The audits are coming, the audits are coming!”

No longer delayed, audits are here!“Compliance email heard around the world” 200 Desk Audits & 24 Comprehensive (Onsite) AuditsBusiness Associates – Phase 2Utilize HHS / OCR Portal to Upload Information10 days to respond / upload informationSize, Location, Services, Other Information, BA

SECURITY RISK ANALYSIS

HIPAA AUDITS

Covered Entity Audits – 166 total103 Privacy and Breach Rules63 Security Rule90% Provider

Business Associates – 41 totalBreach and Security Rules

SECURITY RISK ANALYSIS

HIPAA AUDITS

Security Rule AuditRisk AnalysisRisk Management

Of the 63 Covered Entities audited, one received a “in compliance” score30 failed52 negligible effort – essentially a fail

The OCR is placing emphasis on the Security Rule

SECURITY RISK ANALYSIS

HOW DO BREACHES OCCUR?

Breaches can occur when Protected Health Information is:

Lost

Stolen

Accessed in an unauthorized fashion

Transmitted in an insecure manner

SECURITY RISK ANALYSIS

2017 BREACHES

345 incidents impacting 500+ patients (327 in 2016)4,721,844 patients impacted

41% - 142 hacking incidents (25% increase from 2016)10% of incidents in 2012

25% - 85 email breaches (60% increase from 2016)10% in 2012

29% - 55 breaches from lost or stolen devices (78 in 2016)40% in 2012

HIPAA HISTORY

In the past small entities have mostly ignored HIPAA

Didn’t understand HIPAACost too much for a consultantTook too much timeNot much electronic dataNot much hackingNot so many breachesNot so many auditsNot so many fines

HIPAA can no longer be ignored!

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS

WHAT CMS SAYS ABOUT HIPAA

“The Security Risk Analysis is NOT optional for small providers” “Simply installing a certified EHR DOES NOT fulfill the security risk analysis MU requirement”“Your EHR vendor DOES NOT take care of everything needed to do about privacy and security” “A checklist DOES NOT suffice for the risk analysis requirement”“The risk analysis needs to be performed annually”“The security risk analysis needs to look at not just the EHR, but your whole IT infrastructure”

“It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained

through services of an experienced outside professional”

SECURITY RISK ANALYSIS

WHICH ITEMS NEED TO BE DOCUMENTED?

(Or it didn’t happen!)

Security Risk Analysis (and associated Work Plan or Gap Analysis)

Policies and Procedures

Employee Training

Documentation

SECURITY RISK ANALYSIS

POLICIES & PROCEDURES DOCUMENTATION

Every practice needs policies and procedures for both HIPAA Privacy and Security Rules

These can be obtained from a variety of sources, and should be inexpensive

Someone at your practice needs to be responsible for enforcing these Policies & Procedures (Compliance / Security / Privacy Officer)

Understand that you are not HIPAA compliant if you have not documented it

• You can only withstand an audit through proper documentation• This includes a strong Security Risk Analysis• Practices have received large fines for lack of documentation

• What should be documented:Security Risk AnalysisGap AnalysisPolicies / ProceduresTrainingMedia DisposalSecurity IncidentsComputer Log Reviews

SECURITY RISK ANALYSIS

DOCUMENT, DOCUMENT, DOCUMENT!

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS ELEMENTS

Threat Vulnerability Statement

Existing Controls

Risk (color code)

Control Effectiveness

Likelihood Impact

Overall Risk Rating

Additional Considerations

Work Plan Updates Due Date Responsibility

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS DOCUMENT

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS DOCUMENT

SECURITY RISK ANALYSIS

SECURITY RISK ANALYSIS DOCUMENT

SECURITY RISK ANALYSIS

ANNUAL TRAINING

Employees must be trained on HIPAA before they start work in your practice

All other employees must be trained annually

Third parties can provide HIPAA Educational services

Keep records of training!

• Ensure you have a Privacy / Security Officer!

• In-HouseHHS (Health and Human Services) / OCR (Office of Civil Rights) ToolEHR Vendor may offer service for a fee

• Healthcare Attorney• May also utilize Healthcare IT group• Experienced Third Party

SECURITY RISK ANALYSIS

WHERE DO I GO FROM HERE?

You have to start somewhere!

SECURITY RISK ANALYSIS

IN SUMMARY…

Security Risk Analysis Audits are no longer limited to MUProtect your practice and your investment – utilize professional service tools for your SRA.

Sleep soundly at night!

Thank YouKathryn Ayers Wickenhauser, MBA, CHPC, CHTS

Kathryn.Wickenhauser@DataFileTechnologies.com

Twitter: @KAWickenhauser

bit.ly/KAWresource