RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Transcription

1 RIGHT TO ACCESS AND K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

2 RIGHT TO ACCESS WHAT WE LL COVER HHS FAQ Overview Authorization vs Right to Access Record Formats & Delivery Methods Reasonable, cost-based fee* Third-Party Direction Examples

3 EXAMPLES

4 EXAMPLES

5 EXAMPLES

6 RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM FEBRUARY 25, 2016 Emphasizes a patient s right to receive a copy of their medical information CULTIVATING & CONNECTING HEALTHCARE EXPERTS

7 RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM RELEASED HHS FAQ Delivery formats of PHI Reasonable, cost-based fee for information Right to transmit information to a third party CULTIVATING & CONNECTING HEALTHCARE EXPERTS

8 WHAT S THE DIFFERENCE? AUTHORIZATION vs RIGHT TO ACCESS 45 CFR Disclosure of PHI outside of T/P/O and the Privacy Rule Permits disclosure Required Elements: Description of PHI Entity authorized to release Entity authorized to receive Description of purpose of disclosure Expiration date Signature and date Statements, like Right to Revoke 45 CFR The right of an individual or personal representative to obtain records Requires disclosure, except with exception Designated Record Set Is not always required to be in writing Notice of Privacy Practices Without unreasonable delay

9 EXAMPLES

10 RIGHT TO ACCESS RECORD PRODUCTION Paper If maintained electronically, CE expected to deliver requested information on paper Electronic If maintained electronically, CE expected to deliver if readily producible If requested format not available, access should be provided and agreed upon to another format

11 RIGHT TO ACCESS RECORD PRODUCTION Electronic is okay Secure Unsecure: Patient must acknowledge and sign off on the risks and procedure should be addressed in your Security Risk Analysis Assumed all CEs can produce PHI this way Exception: file size too large

12 EXAMPLES

13 DATAFILETECHNOLOGIES.COM HHS / OCR believes this is the fast and cheap way CULTIVATING & CONNECTING HEALTHCARE EXPERTS

14 WHY AN ELECTRONIC EMPHASIS? Prevalence of EHR systems Patient Portal Access Another means to foster communication between providers DIRECT HIEs HISPs Structured Data

15 RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Labor for copying the PHI Supplies for creating the copy or electronic media Postage where applicable Preparation of a Summary of the PHI where applicable *Anyone else think a few costs are missing?

16 RIGHT TO ACCESS REASONABLE, COST-BASED FEE* This is after the PHI relevant to the request has been Identified Retrieved or collected Ready to be copied Specifically does not include Reviewing the request for Access Searching for, locating, reviewing the PHI Segregating PHI Can only charge for copying

17 RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Three methods allowed to determine cost Average Cost Fee schedule Actual Cost Determine cost each and every time? Flat Fee Electronic cost suggested fee May 2016 clarification

18 WHY DATAFILE? *Electronic copies do not allow for per page fees DATAFILETECHNOLOGIES.COM CULTIVATING & CONNECTING HEALTHCARE EXPERTS

19 RIGHT TO ACCESS THIRD PARTY DIRECTION Right to Access allows patients to direct that their PHI be sent to a third party Examples given in the guidance Another Provider Researcher Consumer Tool Requests may look similar to Authorizations Do they have a patient directive? Yes likely a Right to Access request No likely an Authorization

20 MUDDIED WATERS The recent guidance has created confusion. Limitations on where and to whom these records can go are not established.

21 RIGHT TO ACCESS THIRD PARTY DIRECTION Increased prevalence of attorneys utilizing Right to Access Requests Patient letter I authorize The Kitchen Sink approach Cite HITECH Direct the format outside of the patient letter Why the increase?

22 EXAMPLES AUTHORIZATION RIGHT TO ACCESS

23 EXAMPLES AUTHORIZATION RIGHT TO ACCESS

24 EXAMPLES IS THIS SUFFICIENT FOR RIGHT TO ACCESS?

25 WHAT:S NEXT?

26 WHAT:S NEXT? JUST BECAUSE YOU CAN DOESN T MEAN YOU SHOULD

27 WHAT WE LL COVER What is a Security Risk Analysis (SRA)? Who needs a SRA? Why is a SRA important for my practice? Which items need to be documented? Where do I go from here?

28 BUT FIRST

29 ASSESSMENT VERSUS ANALYIS Risk Assessment Privacy Rule, Breach Notification Rule Often used interchangeably with Security Risk Analysis Risk Analysis Security Rule Security Risk Analysis is the preferred terminology when discussing SRA

30 HEALTHCARE S VERSION OF TAXES

31 THINK ABOUT TAX SEASON

32 WHO DO YOU TRUST? Security Risk Analysis required by HIPAA, Meaningful Use, and now MIPS THREAT RISK Like taxes, do you do your SRA in house, or trust a professional? VULNERABILITY ASSET

33 WHAT IS A? (Besides another item on your to do list annually)

34 WHAT IS A? An analysis of HIPAA in your practice Comprehensive assessment to document / work towards HIPAA compliance Should be done on an annual basis Must have an associated Work Plan to remediate any deficiencies that are found Hardest part of Risk Analysis is to review IT infrastructure to determine where PHI could be at risk

35 WHO NEEDS A? COVERED ENTITY BUSINESS ASSOCIATE PROVIDER PAYMENT PLAN / PAYER WHO ACCESSES PHI? RELEASE OF INFORMATION ATTORNEY OTHERS

36 DEFINITION The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk analysis of their healthcare organization. A risk analysis helps your organization ensure it is compliant with HIPAA s administrative, physical, and technical safeguards.

37 MEANINGFUL USE Meaningful Use requires a SRA Stage 1 Core 15 / Core 13 Protect health information MU Stage 2 Core 9 Protect health information Stage 3 Measure 1 Protect electronic patient health information

38 MACRA & MIPS MIPS requires a SRA Advancing Care Information Receive 0 points for the category if no SRA Loss of 25% of your overall score!

39 WHY IS A SRA IMPORTANT FOR ME? (Do you like paying government fines?)

40 MEANINGFUL USE AUDITS Audits targeted at up to 20% (1 in 5) of eligible providers Either Pre or Post payment of incentive funds Failed audits trigger additional audits for other years and providers Most failed measure: SRA Consider a Mock Audit as a health check Still happening even though Medicare program is over! Expect we will see similar audits under MIPS

41 HIPAA ENFORCEMENT HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees

42 HIPAA AUDITS The audits are coming, the audits are coming! No longer delayed, audits are here! Compliance heard around the world 200 Desk Audits & 24 Comprehensive (Onsite) Audits Business Associates Phase 2 Utilize HHS / OCR Portal to Upload Information 10 days to respond / upload information Size, Location, Services, Other Information, BA

43 HIPAA AUDITS Covered Entity Audits 166 total 103 Privacy and Breach Rules 63 Security Rule 90% Provider Business Associates 41 total Breach and Security Rules

44 HIPAA AUDITS Security Rule Audit Risk Analysis Risk Management Of the 63 Covered Entities audited, one received a in compliance score 30 failed 52 negligible effort essentially a fail The OCR is placing emphasis on the Security Rule

45 HOW DO BREACHES OCCUR? Breaches can occur when Protected Health Information is: Lost Stolen Accessed in an unauthorized fashion Transmitted in an insecure manner

46 2017 BREACHES 345 incidents impacting 500+ patients (327 in 2016) 4,721,844 patients impacted 41% hacking incidents (25% increase from 2016) 10% of incidents in % breaches (60% increase from 2016) 10% in % - 55 breaches from lost or stolen devices (78 in 2016) 40% in 2012

47 HIPAA HISTORY In the past small entities have mostly ignored HIPAA Didn t understand HIPAA Cost too much for a consultant Took too much time Not much electronic data Not much hacking Not so many breaches Not so many audits Not so many fines HIPAA can no longer be ignored!

48 WHAT CMS SAYS ABOUT HIPAA The Security Risk Analysis is NOT optional for small providers Simply installing a certified EHR DOES NOT fulfill the security risk analysis MU requirement Your EHR vendor DOES NOT take care of everything needed to do about privacy and security A checklist DOES NOT suffice for the risk analysis requirement The risk analysis needs to be performed annually The security risk analysis needs to look at not just the EHR, but your whole IT infrastructure It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional

49 WHICH ITEMS NEED TO BE DOCUMENTED? (Or it didn t happen!) Security Risk Analysis (and associated Work Plan or Gap Analysis) Policies and Procedures Employee Training Documentation

50 POLICIES & PROCEDURES DOCUMENTATION Every practice needs policies and procedures for both HIPAA Privacy and Security Rules These can be obtained from a variety of sources, and should be inexpensive Someone at your practice needs to be responsible for enforcing these Policies & Procedures (Compliance / Security / Privacy Officer)

51 DOCUMENT, DOCUMENT, DOCUMENT! Understand that you are not HIPAA compliant if you have not documented it You can only withstand an audit through proper documentation This includes a strong Security Risk Analysis Practices have received large fines for lack of documentation What should be documented: Security Risk Analysis Gap Analysis Policies / Procedures Training Media Disposal Security Incidents Computer Log Reviews

52 ELEMENTS Threat Vulnerability Statement Existing Controls Risk (color code) Control Effectiveness Likelihood Impact Overall Risk Rating Additional Considerations Work Plan Updates Due Date Responsibility

53 DOCUMENT

54 DOCUMENT

55 DOCUMENT

56 ANNUAL TRAINING Employees must be trained on HIPAA before they start work in your practice All other employees must be trained annually Third parties can provide HIPAA Educational services Keep records of training!

57 WHERE DO I GO FROM HERE? You have to start somewhere! Ensure you have a Privacy / Security Officer! In-House HHS (Health and Human Services) / OCR (Office of Civil Rights) Tool EHR Vendor may offer service for a fee Healthcare Attorney May also utilize Healthcare IT group Experienced Third Party

58 IN SUMMARY Security Risk Analysis Audits are no longer limited to MU Protect your practice and your investment utilize professional service tools for your SRA. Sleep soundly at night!

59 Thank You Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS bit.ly/kawresource