The Security Rule requires HIPAA-covered entities and their business associates to keep electronic health information private and secure under three categories of safeguards. The administration section defines who’s given access to the data. The physical portion deals with building and equipment components, such as fire protection, placement of the fax machine, and door locks. The third segment covers information technology items like encryption, network protection, and data transfer.
“The Security Rule was essentially unenforced by the government until 2009 when they passed HITECH [the Health Information Technology for Economic and Clinical Health Act], and they adopted the Rule as a requirement for attesting to meaningful use,” Pretnar says.
With the government handing out over a billion dollars in the first stage of meaningful-use incentive payments, Human Health and Services (HHS) kicked in Security Rule audits nationwide last November.
Only 150 audits are planned for the year, overseen by HHS’s Office for Civil Rights (OCR). “So people don’t feel very threatened,” Pretnar says. “But the audits will likely be ongoing, probably depending on the budget.”
Over and above these OCR efforts, the Centers for Medicare and Medicaid Services (CMS) is now discharging their own auditors to check on meaningful-use compliance, which includes complying with the HIPAA Security Rule. “So now you have two government entities looking at your data protection,” Pretnar says.
The CMS has yet to disclose who or how many will be audited. “They haven’t indicated what their methodology is for selection, but think of a tumbling barrel of names in a raffle game. If you’ve already attested, you’re in the random sample barrel,” Pretnar says.
Having begun their visits last fall, the OCR published their audit checklist of about 40 elements. “It scared the bejeesus out of people. Because if OCR shows up, they’re going to ask for hundreds of pages worth of stuff on how you document your risk management program,” Pretnar says.
Items on this list include documenting a practice-wide security plan, a disaster recovery plan, a risk management plan and recent risk analysis, and results from the most recent network penetration test. . “This is no minor project,” Pretnar says. “It will require many operational decisions as well as coordination with your IT support teams to accomplish.”
She suggests practices focus on having policies for everything where protected data is handled, created, stored, displayed or transferred. “Everything has to be well documented. If you have no policies, than your plan is to write policies,” Pretnar says.
“You should remember that if you’re not documenting it, then in the auditors’ minds, you can’t prove you’re doing it,” says Russ Dorsey, CEO of Integrated Solutions.
Dorsey says a common error practices make now with the HIPAA Security Rule is inadequate protection when remotely accessing the health records. “Any remote access has to be from an encrypted virtual private network connection or through an appliance that controls access, so the server is not directly exposed to the internet,” Dorsey says.
HIPAA also states that email containing any patient data must be encrypted, including email with labs, imaging centers, lawyers and hospitals. “The practice could set up encryption between two specific entities, like the hospital or the labs,” Dorsey says. “Remember that the auditors will be looking at your documentation for your policy on who with and how you’re encrypted, so just doing the encryption isn’t enough.”
Policies also need to spell out the disciplinary action for staff who break them. “Auditors may likely test a policy by quizzing random employees on the last time they were trained and if they know what will happen if they break a policy,” Dorsey says.
Prior to the arrival of OCR auditors, practices will get notification. “But it’s not more than ten days, and there’s no way you could build what you need in that time,” Pretnar says.
For help, libraries of complete policies can be bought that address every facet of the Security Rule and a kind of map through the HIPAA requirements. Online, the HHS offers guidance geared toward small practices, and multiple websites also offer tools, policies and even discussion forums, such as at hipaasurvivalguide.com.
“But I don’t know that you could do this independently unless you have someone really dedicated to it,” Dorsey says. “HIPAA requires a third-party risk assessment anyway, so you need to engage an IT or security professional to help you.”
“You want consulting help from someone who’s willing to show you every step, so you can figure out how to write a policy or a procedure yourself and understand how changes will impact your practice,” Pretnar says. “Because this is never going away.”
