Post on 14-Aug-2020
Meaningful Use and
HIPAA Compliance
How Meaningful Use is Pushing You into complete HIPAA compliance
Who Am I?
John Brewer
• Medical IT
• HIPAA Compliance
• Meaningful Use Security Risk Analysis Stage 1 Core Item #15
Topics Today
• Meaningful Use Security Risk Analysis
–Stage 1 vs. Stage 2
• 5 Biggest HIPAA Mistakes
Informal Poll
• Facility size?
•How many have attested for Stage 1?
What’s the Point??
The point of HIPAA is to:
Reduce the Risk
Of a data breach
To the Practice
Fines & Penalties
• Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5)
• A data breach could put the practice out of business
• A data breach could put you in bankruptcy
Why risk this?
Summary of Fines & Penalties
Minimum: $100 per violation
Up to $25,000 in a year
Maximum: $50,000 per violation
Up to $1.5 million in a year
Why risk any of this?
Why Are We Talking Stage 1??
• A large number of facilities have not yet attested for Stage 1 Meaningful Use
• A large number of those facilities that have attested for Stage 1 Meaningful Use did not do a Risk Assessment during their 90 day window
Stage 1 Core Item #15
REQUIREMENT:
Protect Electronic Health Information Simple enough…right?
Stage 1 Core Item #15
Expanded requirement…
Stage 1 Core Item #15
Expanding even further…
Stage 1 Core Item #15
What does this mean?
• In the 90 day window of your first attestation period you must conduct a Security Risk Analysis (SRA).
• This first SRA is not expected to be perfect
Conduct or Review
What word was missing from my sentence on the previous slide?
REVIEW Many like to nit-pick this and point out
that they did a review.
Remember…what is the point of this Process?
Reduce
The Risk of a fine
To The
Practice
And YOU
Auditor Shows Up And…
Do you really want to do a “tap dance” on this point with an auditor who has the ability
to take back that check you just got?
Security Risk Analysis
• You are expected to get a “snapshot” of the risk level of your practice
• Implement a plan to fix your deficiencies
• All deficiencies should be rectified by the next SRA
Security Risk Analysis
• Subsequent SRAs must be accomplished annually
• Deficiencies discovered in each SRA are expected to be rectified by the next SRA
• No different from any other audit
Stage 1 Core Item #15
So we have to…
Why are we talking about Stage 1??
Conduct a Security Risk Analysis
Conduct a Security Risk Analysis
It’s Not That Simple
See how that one sentence, single item requirement ballooned into a huge process?
This is Another point of frustration for everyone…
Meaningful Use Risk Analysis
Stage 1 vs. Stage 2
Meaningful Use Stage 2
The focus is now on data security…specifically encryption of “at rest” data.
At Rest data is that information which is stored on a hard drive.
At Rest Data Encryption
This means the entire hard drive of your server must be encrypted
OR
The portion of your hard drive that contains PHI must be encrypted
At Rest Data Encryption
The big question going forward is who will do the encryption???
• Will the EHR vendor encrypt the data?
• Will the end user be required to encrypt the server?
5 Biggest HIPAA Mistakes
1. Old / Inadequate / Non-Existent HIPAA Policies
2. Lack of HIPAA Training
3. No Associates Agreement
4. Emailing of PHI
5. No Disaster / Contingency Operations Plan
5 Biggest HIPAA Mistakes
Old / Inadequate / Non-Existent HIPAA Policies
– Are your HIPAA policies are older than your EHR?
– Are you HIPAA policies updated annually?
If you have to hesitate to answer these questions, then the policies are too old…
5 Biggest HIPAA Mistakes
Lack of HIPAA Training
– Does your office accomplish annual HIPAA Awareness Training?
– Is it logged?
– Do you accomplish Security Reminders? • Do you know what these are??
If you have to hesitate to answer these questions, then your training is inadequate
5 Biggest HIPAA Mistakes
No Associates Agreement – Does your office have one?
– Is one on file for every consultant/contractor that has access to the back office or your computers? • Cleaning Crew
• Outsourced IT support
• EHR Vendor
• Coding consultants
– Is it renewed annually?
– OMNIBUS – what is it and what does that mean?
5 Biggest HIPAA Mistakes
Emailing of PHI
– Secure email vs Patient Portal
**WARNING: Soap Box Speech**
5 Biggest HIPAA Mistakes
No Disaster / Contingency Operations Plan
– The Cloud does not count for this
– In depth pre-planned
– During a disaster you will need guidance
– Similar to a will in that it is painful to go through the process, but you will feel great once it is complete.
Conclusion
• Meaningful Use Security Risk Analysis
–Stage 1 vs. Stage 2
• 5 Biggest HIPAA Mistakes
Questions??
JohnBrewer.me