“The government has taken back incentive money,” says Nic Cofield with Jackson Thornton Technologies. In Stage 1 of proving the meaningful use of their new electronic health records (EHR), physicians had to attest to the security of their EHR and the use and sharing of its data. In return for meeting that criteria and others, they received up to $44,000.
Then the government did select audits to confirm it. “During the early rounds of audits, the requests for information focused on the controls built into and verifiable from the EMR dashboards – the meaningful use core measures focused on patient care,” says Russ Dorsey of Kassouf & Co. “For several of those, proof of the risk assessment was not even requested. Many practices dodged bullets.
“However, in the last few months we’ve seen changes in the nature of the CMS audit requests. CMS and the CPA firms assisting in the process are clearly refining their requests and review based on what they are finding.”
Many recent audits are asking for risk assessment documents which has resulted in financial loss for some practices.
“The auditors asked one area practice for proof,” Cofield says. “When the physicians were not able to produce the documentation, the government took the money back from that practice.”
The missing proof was creating and administering an information technology (IT) risk assessment. “It’s part of the HIPAA security rule. It’s documentation showing how you protect data at your practice,” Cofield says.
Curtis Woods at Integrated Solutions had a similar situation. “A practice called for a risk assessment but decided not go through with it. They attested to having done it, got their $44,000 per physician. Nine months later, they get an email from an auditor saying they must provide proof that they’re doing what they’re supposed to do, and they can’t produce it. They had to give it all back.”
The difficulty with risk assessments is that they are not clear-cut. “The CMS has published a road map to help practices do everything required, but there’s no standard method. It’s not a checklist,” Cofield says.
That’s one of several myths healthcare entities have about risk assessments. “It has to be a narrative document,” Cofield says. Entries should read something like, ‘On June 9, 2014, interviewed coding specialist and found that employee not handling PHI [protected health information] correctly. To remedy, provided employee with additional education to understand risks on July 6, 2014.’”
The other prevalent myth is that a risk assessment is ever complete. “When it’s done, that’s the beginning,” Woods says. “They have to implement and remediate anything that came up and prove they’ve done something.” Then every year, the practice must do a review to see what progress has been made and keep up with any IT changes. “If not, they’re at risk of losing the money,” Woods says.
Relying on your EHR vendor is not enough, warns Cofield. “A practice prints this sheet out from their EHR and they’re told that will qualify them. But a checklist, a simple yes/no sheet, will not stand up to CMS eyes.”
Woods agrees. “All it’s showing you is who has access to what information. It doesn’t say what PHI got taken home by whom on a flash drive, then taken to school by their child, and then lost.”
Mobile devices open the biggest vulnerability for breaches. “Those devices are often not encrypted,” Cofield says. The CMS has a wall of shame displaying which healthcare entities lost data that affected more than 500 patients. “A lot of those are a result of mobile devices being lost or stolen and encryption not being in place.”
“You need to have controls so external USB devices can be remotely disabled,” Woods says. “And if you want to copy data onto a laptop or flash drive, you can’t do it without permission.” That ensures the right people will know the movements of a practice’s PHI.
Sometimes the exposure is from within the system itself. “We often find that everyone in the clinic has access to everything in the network. Nothing is blocking them from getting it,” Cofield says. “The admin knows they have a firewall and a back up, but did not know that if the front desk person wanted to, they could get to protected information, copy it, and steal it without anyone knowing.”
“We know a couple of practices where everyone logged in using the same password,” Woods says. “There’s nothing secure in that.”
Administrators also get surprised to learn a security measure they thought they invested in is useless. “You ask if they have back up and they answer yes, but you notice that it’s not powered on or it’s not configured,” Cofield says.
These lapses happen more often in smaller practices where staff wears many hats. “A big misconception among small providers is that they’re excluded from doing the risk assessment,” Cofield says. “You have to do the same due diligence to protect the information whether it’s one or 40 doctors.”
No one is immune from the audits either. “We’ve seen four customers get audit email in the past nine months,” Woods says. “They’re doing more and more of these emails, because they’re hiring more staff.”
“Here is some final advice,” Dorsey says. “If you attested to meaningful use and checked the risk assessment box, but aren’t sure you would pass an audit, take the time now to build your best case. You cannot create any documents that didn’t exist or claim any work that didn’t happen. But when you look at what was actually done by you and your vendors, and gather all the documentation, you may be able to demonstrate more than you think you can.
And by all means, engage someone to do a risk assessment now. You should have one every year anyway.”