right to access - wild apricot · hipaa audits “the audits are coming, the audits are coming!”...
TRANSCRIPT
RIGHT TO ACCESS AND
SECURITY RISK ANALYSIS
K a t h r y n A y e r s W i c k e n h a u s e r ,M B A , C H P C , C H T S
WHAT WE’LL COVER
HHS FAQ Overview
Authorization vs Right to Access
Record Formats & Delivery Methods
Reasonable, cost-based fee*
Third-Party Direction
Examples
RIGHT TO ACCESS
EXAMPLES
EXAMPLES
EXAMPLES
DATAFILETECHNOLOGIES.COM | 816.437.9134
CULTIVATING & CONNECTING HEALTHCARE EXPERTS
FEBRUARY 25, 2016Emphasizes a patient’s right to receive a
copy of their medical information
RIGHT TO ACCESS
DATAFILETECHNOLOGIES.COM | 816.437.9134
CULTIVATING & CONNECTING HEALTHCARE EXPERTS
RELEASED HHS FAQ
Delivery formats of PHI
Reasonable, cost-based fee for
information
Right to transmit information to a
third party
RIGHT TO ACCESS
45 CFR 164.508
Disclosure of PHI outside of T/P/O
and the Privacy Rule
Permits disclosure
Required Elements:
• Description of PHI• Entity authorized to release• Entity authorized to receive• Description of purpose of
disclosure• Expiration date• Signature and date• Statements, like Right to Revoke
45 CFR 164.524
The right of an individual or personal
representative to obtain records
Requires disclosure, except with
exception
Designated Record Set
Is not always required to be in writing
• Notice of Privacy Practices
Without unreasonable delay
AUTHORIZATION vs RIGHT TO ACCESS
WHAT’S THE DIFFERENCE?
EXAMPLES
RECORD PRODUCTION
Paper
• If maintained electronically, CE expected to deliver requested
information on paper
Electronic
• If maintained electronically, CE expected to deliver if readily producible
• If requested format not available, access should be provided and
agreed upon to another format
RIGHT TO ACCESS
RECORD PRODUCTION
Electronic
• Email is okay
– Secure
– Unsecure: Patient must acknowledge and sign off on the risks and procedure should be addressed in your Security Risk Analysis
• Assumed all CEs can produce PHI this way
– Exception: file size too large
RIGHT TO ACCESS
EXAMPLES
DATAFILETECHNOLOGIES.COM | 816.437.9134
CULTIVATING & CONNECTING HEALTHCARE EXPERTS
HHS / OCR believes this is the fast and cheap way…
Prevalence of EHR systems
Patient Portal Access
Another means to foster communication between providers
• DIRECT
• HIEs
• HISPs
Structured Data
WHY AN ELECTRONIC EMPHASIS?
REASONABLE, COST-BASED FEE*
RIGHT TO ACCESS
Labor for copying the PHI
Supplies for creating the copy
or electronic media
Postage where applicable
Preparation of a Summary of
the PHI where applicable
*Anyone else think a few costs are missing?
This is after the PHI relevant to the request has been…
• Identified
• Retrieved or collected
• “Ready to be copied”
Specifically does not include…
• Reviewing the request for Access
• Searching for, locating, reviewing the PHI
• Segregating PHI
Can only charge for “copying”
RIGHT TO ACCESS
REASONABLE, COST-BASED FEE*
Three methods allowed to determine cost
Average Cost
• Fee schedule
Actual Cost
• Determine cost each and every time?
Flat Fee
• Electronic cost suggested fee
• May 2016 clarification
RIGHT TO ACCESS
REASONABLE, COST-BASED FEE*
CULTIVATING & CONNECTING HEALTHCARE EXPERTS
DATAFILETECHNOLOGIES.COM | 816.437.9134WHY DATAFILE?*Electronic copies do not allow for per page fees…
THIRD PARTY DIRECTION
“Right to Access” allows patients to direct that their PHI be sent to a third party
• Examples given in the guidance
– Another Provider
– Researcher
– Consumer Tool
Requests may look similar to Authorizations
• Do they have a patient directive?
– Yes likely a Right to Access request
– No likely an Authorization
RIGHT TO ACCESS
The recent guidance has created confusion.
Limitations on where and to whom these records
can go are not established.
MUDDIED WATERS
THIRD PARTY DIRECTION
Increased prevalence of attorneys utilizing Right to Access Requests
• Patient letter – “I authorize”
• “The Kitchen Sink” approach
• Cite HITECH
• Direct the format outside of the patient letter
Why the increase?
RIGHT TO ACCESS
EXAMPLES
AUTHORIZATION RIGHT TO ACCESS
EXAMPLES
AUTHORIZATION RIGHT TO ACCESS
EXAMPLES
IS THIS SUFFICIENT FOR RIGHT TO ACCESS?
WHAT:S NEXT?
JUST BECAUSE YOU CAN DOESN’T MEAN YOU SHOULD
WHAT:S NEXT?
WHAT WE’LL COVER
What is a Security Risk Analysis (SRA)?
Who needs a SRA?
Why is a SRA important for my practice?
Which items need to be documented?
Where do I go from here?
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS
BUT FIRST…
Risk Analysis
Security Rule
Security Risk Analysis is the
preferred terminology when
discussing SRA
Risk Assessment
Privacy Rule, Breach
Notification Rule
Often used interchangeably
with Security Risk Analysis
ASSESSMENT VERSUS ANALYIS
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS
HEALTHCARE’S VERSION OF TAXES…
THINK ABOUT TAX SEASON…
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS
WHO DO YOU TRUST?
THREAT
ASSETVULNERABILITY
Security Risk Analysis
required by HIPAA,
Meaningful Use, and now
MIPS
Like taxes, do you do your
SRA in house, or trust a
professional?
RISK
SECURITY RISK ANALYSIS
WHAT IS A SECURITY RISK ANALYSIS?
(Besides another item on your to do list annually)
SECURITY RISK ANALYSIS
WHAT IS A SECURITY RISK ANALYSIS?
An analysis of HIPAA in your practice
Comprehensive assessment to document / work towards HIPAA
compliance
Should be done on an annual basis
Must have an associated Work Plan to remediate any deficiencies
that are found
Hardest part of Risk Analysis is to review IT infrastructure to
determine where PHI could be at risk
SECURITY RISK ANALYSIS
WHO NEEDS A SECURITY RISK ANALYSIS?
COVERED ENTITY
• PROVIDER
• PAYMENT
• PLAN / PAYER
BUSINESS ASSOCIATE
• WHO ACCESSES PHI?
• RELEASE OF INFORMATION
• ATTORNEY
• OTHERS
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk analysis of their healthcare organization. A risk analysis helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS DEFINITION
SECURITY RISK ANALYSIS
MEANINGFUL USE
Meaningful Use requires a SRA
Stage 1 – Core 15 / Core 13“Protect health information”
Stage 2 – Core 9“Protect health information”
Stage 3 – Measure 1“Protect electronic patient health information”
MU
MACRA & MIPS
MIPS requires a SRA
Advancing Care InformationReceive 0 points for the category if no SRALoss of 25% of your overall score!
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS
WHY IS A SRA IMPORTANT FOR ME?
(Do you like paying government fines?)
SECURITY RISK ANALYSIS
MEANINGFUL USE AUDITS
Audits targeted at up to 20% (1 in 5) of eligible providers
Either Pre or Post payment of incentive funds
Failed audits trigger additional audits for other years and providers
Most failed measure: SRA
Consider a Mock Audit as a “health check”
Still happening even though Medicare program is over!
Expect we will see similar audits under MIPS
SECURITY RISK ANALYSIS
HIPAA ENFORCEMENT
HIPAA Regulations are enforced by HHS-OCR
Enforcement Activities2015 Random Audit ProgramBreach Investigations
Covered entitiesBusiness Associates
Complaint InvestigationsDissatisfied patientsDisgruntled employees
SECURITY RISK ANALYSIS
HIPAA AUDITS
“The audits are coming, the audits are coming!”
No longer delayed, audits are here!“Compliance email heard around the world” 200 Desk Audits & 24 Comprehensive (Onsite) AuditsBusiness Associates – Phase 2Utilize HHS / OCR Portal to Upload Information10 days to respond / upload informationSize, Location, Services, Other Information, BA
SECURITY RISK ANALYSIS
HIPAA AUDITS
Covered Entity Audits – 166 total103 Privacy and Breach Rules63 Security Rule90% Provider
Business Associates – 41 totalBreach and Security Rules
SECURITY RISK ANALYSIS
HIPAA AUDITS
Security Rule AuditRisk AnalysisRisk Management
Of the 63 Covered Entities audited, one received a “in compliance” score30 failed52 negligible effort – essentially a fail
The OCR is placing emphasis on the Security Rule
SECURITY RISK ANALYSIS
HOW DO BREACHES OCCUR?
Breaches can occur when Protected Health Information is:
Lost
Stolen
Accessed in an unauthorized fashion
Transmitted in an insecure manner
SECURITY RISK ANALYSIS
2017 BREACHES
345 incidents impacting 500+ patients (327 in 2016)4,721,844 patients impacted
41% - 142 hacking incidents (25% increase from 2016)10% of incidents in 2012
25% - 85 email breaches (60% increase from 2016)10% in 2012
29% - 55 breaches from lost or stolen devices (78 in 2016)40% in 2012
HIPAA HISTORY
In the past small entities have mostly ignored HIPAA
Didn’t understand HIPAACost too much for a consultantTook too much timeNot much electronic dataNot much hackingNot so many breachesNot so many auditsNot so many fines
HIPAA can no longer be ignored!
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS
WHAT CMS SAYS ABOUT HIPAA
“The Security Risk Analysis is NOT optional for small providers” “Simply installing a certified EHR DOES NOT fulfill the security risk analysis MU requirement”“Your EHR vendor DOES NOT take care of everything needed to do about privacy and security” “A checklist DOES NOT suffice for the risk analysis requirement”“The risk analysis needs to be performed annually”“The security risk analysis needs to look at not just the EHR, but your whole IT infrastructure”
“It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained
through services of an experienced outside professional”
SECURITY RISK ANALYSIS
WHICH ITEMS NEED TO BE DOCUMENTED?
(Or it didn’t happen!)
Security Risk Analysis (and associated Work Plan or Gap Analysis)
Policies and Procedures
Employee Training
Documentation
SECURITY RISK ANALYSIS
POLICIES & PROCEDURES DOCUMENTATION
Every practice needs policies and procedures for both HIPAA Privacy and Security Rules
These can be obtained from a variety of sources, and should be inexpensive
Someone at your practice needs to be responsible for enforcing these Policies & Procedures (Compliance / Security / Privacy Officer)
Understand that you are not HIPAA compliant if you have not documented it
• You can only withstand an audit through proper documentation• This includes a strong Security Risk Analysis• Practices have received large fines for lack of documentation
• What should be documented:Security Risk AnalysisGap AnalysisPolicies / ProceduresTrainingMedia DisposalSecurity IncidentsComputer Log Reviews
SECURITY RISK ANALYSIS
DOCUMENT, DOCUMENT, DOCUMENT!
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS ELEMENTS
Threat Vulnerability Statement
Existing Controls
Risk (color code)
Control Effectiveness
Likelihood Impact
Overall Risk Rating
Additional Considerations
Work Plan Updates Due Date Responsibility
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS DOCUMENT
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS DOCUMENT
SECURITY RISK ANALYSIS
SECURITY RISK ANALYSIS DOCUMENT
SECURITY RISK ANALYSIS
ANNUAL TRAINING
Employees must be trained on HIPAA before they start work in your practice
All other employees must be trained annually
Third parties can provide HIPAA Educational services
Keep records of training!
• Ensure you have a Privacy / Security Officer!
• In-HouseHHS (Health and Human Services) / OCR (Office of Civil Rights) ToolEHR Vendor may offer service for a fee
• Healthcare Attorney• May also utilize Healthcare IT group• Experienced Third Party
SECURITY RISK ANALYSIS
WHERE DO I GO FROM HERE?
You have to start somewhere!
SECURITY RISK ANALYSIS
IN SUMMARY…
Security Risk Analysis Audits are no longer limited to MUProtect your practice and your investment – utilize professional service tools for your SRA.
Sleep soundly at night!
Thank YouKathryn Ayers Wickenhauser, MBA, CHPC, CHTS
Twitter: @KAWickenhauser
bit.ly/KAWresource