Tuesday, November 4, 2014
HIPAA Compliance: Never a Final Word
By: Susan Pretnar, President, KeySys Health, LLC
How is it possible that when new guidance is issued from CMS around the Meaningful Use core objective to conduct a security risk analysis, the message ends up muddled? On Oct 6, 2014, CMS issued a new FAQ on their web site to respond to a question that states:
How can a provider meet the “Protect Electronic Health Information” core objective in the Electronic Health Records (EHR) Incentive Programs?
The first sentence of the response seems clear enough (emphasis added):
To meet the “Protect Electronic Health Information” core objective for Stage 1, eligible professionals (EP), eligible hospitals or critical access hospitals (CAH) must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
However, the next paragraph is truly a puzzler:
In Stage 2, in addition to meeting the same security risk analysis requirements as Stage 1, EPs and hospitals will also need to address the encryption and security of data stored in the certified EHR technology (CEHRT).
One has to wonder how the ‘certified’ EHR technology got certified in the first place if it had weaknesses in how it handled encryption and security of the data stored in its databases. Or, why isn’t your ‘uncertified’ PACs system, unencrypted emails and text messages, of greater concern than software that was supposed to be ‘certified’? Why does CMS single out only the EHR systems, when the HIPAA Security Rule does not? But, I digress.
Further down the FAQ comes the following statement, which in my limited experience, has been taken to heart by those who are actually conducting the audits of HIPAA compliance and Meaningful Use attestations:
This meaningful use objective complements, but does not impose new or expanded requirements on the HIPAA Security Rule.
What does this mean? If you are complying with 45 CFR 164.308(a)(1) you have done a comprehensive job of assessing or reviewing the policies and procedures that constitute your ‘risk management process’, analyzing any gaps in your program against the HIPAA requirements in 45 CFR, and you’ve established a risk remediation plan that assures you are closing known vulnerabilities.
CMS concedes that ‘Once the risk analysis is completed, providers must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.’ This statement is the crux of what is required of CEs and their Business Associates.
If CMS is not imposing new or expanded requirements on the HIPAA Security Rule, then it must accept that a new ‘risk analysis’ need not be conducted in every year of attestation as long as the ongoing risk management process includes review of policies, procedures and plans, not just annually, but whenever significant changes are made to technology, facilities or staff that impact ePHI in particular.
If you have attested to Meaningful Use and accepted incentive payments, but you have not implemented a security risk management process, or, you have never conducted a security risk assessment and have no documented plan to remediate gaps in your security posture, perhaps it is time to secure expert legal advise.
The risk of audit is not the compelling reason to implement a risk management program, however, any more than averting a lawsuit is the sole purpose of conducting clinical risk reviews. The business of healthcare requires ‘doing no harm’, by keeping patients safe, including their protected health information. The financial and reputational impact of failing either task can be significant.
For various reasons, a large number of healthcare entities and their business associates feel no compunction about shelving efforts to identify their risks and securely manage their data and information systems. It’s as if that effort, unlike their other business activities, can be suspended without impact.