RIGHT TO ACCESS AND K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S
RIGHT TO ACCESS WHAT WE LL COVER HHS FAQ Overview Authorization vs Right to Access Record Formats & Delivery Methods Reasonable, cost-based fee* Third-Party Direction Examples
EXAMPLES
EXAMPLES
EXAMPLES
RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM 816.437.9134 FEBRUARY 25, 2016 Emphasizes a patient s right to receive a copy of their medical information CULTIVATING & CONNECTING HEALTHCARE EXPERTS
RIGHT TO ACCESS DATAFILETECHNOLOGIES.COM 816.437.9134 RELEASED HHS FAQ Delivery formats of PHI Reasonable, cost-based fee for information Right to transmit information to a third party CULTIVATING & CONNECTING HEALTHCARE EXPERTS
WHAT S THE DIFFERENCE? AUTHORIZATION vs RIGHT TO ACCESS 45 CFR 164.508 Disclosure of PHI outside of T/P/O and the Privacy Rule Permits disclosure Required Elements: Description of PHI Entity authorized to release Entity authorized to receive Description of purpose of disclosure Expiration date Signature and date Statements, like Right to Revoke 45 CFR 164.524 The right of an individual or personal representative to obtain records Requires disclosure, except with exception Designated Record Set Is not always required to be in writing Notice of Privacy Practices Without unreasonable delay
EXAMPLES
RIGHT TO ACCESS RECORD PRODUCTION Paper If maintained electronically, CE expected to deliver requested information on paper Electronic If maintained electronically, CE expected to deliver if readily producible If requested format not available, access should be provided and agreed upon to another format
RIGHT TO ACCESS RECORD PRODUCTION Electronic Email is okay Secure Unsecure: Patient must acknowledge and sign off on the risks and procedure should be addressed in your Security Risk Analysis Assumed all CEs can produce PHI this way Exception: file size too large
EXAMPLES
DATAFILETECHNOLOGIES.COM 816.437.9134 HHS / OCR believes this is the fast and cheap way CULTIVATING & CONNECTING HEALTHCARE EXPERTS
WHY AN ELECTRONIC EMPHASIS? Prevalence of EHR systems Patient Portal Access Another means to foster communication between providers DIRECT HIEs HISPs Structured Data
RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Labor for copying the PHI Supplies for creating the copy or electronic media Postage where applicable Preparation of a Summary of the PHI where applicable *Anyone else think a few costs are missing?
RIGHT TO ACCESS REASONABLE, COST-BASED FEE* This is after the PHI relevant to the request has been Identified Retrieved or collected Ready to be copied Specifically does not include Reviewing the request for Access Searching for, locating, reviewing the PHI Segregating PHI Can only charge for copying
RIGHT TO ACCESS REASONABLE, COST-BASED FEE* Three methods allowed to determine cost Average Cost Fee schedule Actual Cost Determine cost each and every time? Flat Fee Electronic cost suggested fee May 2016 clarification
WHY DATAFILE? *Electronic copies do not allow for per page fees DATAFILETECHNOLOGIES.COM 816.437.9134 CULTIVATING & CONNECTING HEALTHCARE EXPERTS
RIGHT TO ACCESS THIRD PARTY DIRECTION Right to Access allows patients to direct that their PHI be sent to a third party Examples given in the guidance Another Provider Researcher Consumer Tool Requests may look similar to Authorizations Do they have a patient directive? Yes likely a Right to Access request No likely an Authorization
MUDDIED WATERS The recent guidance has created confusion. Limitations on where and to whom these records can go are not established.
RIGHT TO ACCESS THIRD PARTY DIRECTION Increased prevalence of attorneys utilizing Right to Access Requests Patient letter I authorize The Kitchen Sink approach Cite HITECH Direct the format outside of the patient letter Why the increase?
EXAMPLES AUTHORIZATION RIGHT TO ACCESS
EXAMPLES AUTHORIZATION RIGHT TO ACCESS
EXAMPLES IS THIS SUFFICIENT FOR RIGHT TO ACCESS?
WHAT:S NEXT?
WHAT:S NEXT? JUST BECAUSE YOU CAN DOESN T MEAN YOU SHOULD
WHAT WE LL COVER What is a Security Risk Analysis (SRA)? Who needs a SRA? Why is a SRA important for my practice? Which items need to be documented? Where do I go from here?
BUT FIRST
ASSESSMENT VERSUS ANALYIS Risk Assessment Privacy Rule, Breach Notification Rule Often used interchangeably with Security Risk Analysis Risk Analysis Security Rule Security Risk Analysis is the preferred terminology when discussing SRA
HEALTHCARE S VERSION OF TAXES
THINK ABOUT TAX SEASON
WHO DO YOU TRUST? Security Risk Analysis required by HIPAA, Meaningful Use, and now MIPS THREAT RISK Like taxes, do you do your SRA in house, or trust a professional? VULNERABILITY ASSET
WHAT IS A? (Besides another item on your to do list annually)
WHAT IS A? An analysis of HIPAA in your practice Comprehensive assessment to document / work towards HIPAA compliance Should be done on an annual basis Must have an associated Work Plan to remediate any deficiencies that are found Hardest part of Risk Analysis is to review IT infrastructure to determine where PHI could be at risk
WHO NEEDS A? COVERED ENTITY BUSINESS ASSOCIATE PROVIDER PAYMENT PLAN / PAYER WHO ACCESSES PHI? RELEASE OF INFORMATION ATTORNEY OTHERS
DEFINITION The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk analysis of their healthcare organization. A risk analysis helps your organization ensure it is compliant with HIPAA s administrative, physical, and technical safeguards.
MEANINGFUL USE Meaningful Use requires a SRA Stage 1 Core 15 / Core 13 Protect health information MU Stage 2 Core 9 Protect health information Stage 3 Measure 1 Protect electronic patient health information
MACRA & MIPS MIPS requires a SRA Advancing Care Information Receive 0 points for the category if no SRA Loss of 25% of your overall score!
WHY IS A SRA IMPORTANT FOR ME? (Do you like paying government fines?)
MEANINGFUL USE AUDITS Audits targeted at up to 20% (1 in 5) of eligible providers Either Pre or Post payment of incentive funds Failed audits trigger additional audits for other years and providers Most failed measure: SRA Consider a Mock Audit as a health check Still happening even though Medicare program is over! Expect we will see similar audits under MIPS
HIPAA ENFORCEMENT HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees
HIPAA AUDITS The audits are coming, the audits are coming! No longer delayed, audits are here! Compliance email heard around the world 200 Desk Audits & 24 Comprehensive (Onsite) Audits Business Associates Phase 2 Utilize HHS / OCR Portal to Upload Information 10 days to respond / upload information Size, Location, Services, Other Information, BA
HIPAA AUDITS Covered Entity Audits 166 total 103 Privacy and Breach Rules 63 Security Rule 90% Provider Business Associates 41 total Breach and Security Rules
HIPAA AUDITS Security Rule Audit Risk Analysis Risk Management Of the 63 Covered Entities audited, one received a in compliance score 30 failed 52 negligible effort essentially a fail The OCR is placing emphasis on the Security Rule
HOW DO BREACHES OCCUR? Breaches can occur when Protected Health Information is: Lost Stolen Accessed in an unauthorized fashion Transmitted in an insecure manner
2017 BREACHES 345 incidents impacting 500+ patients (327 in 2016) 4,721,844 patients impacted 41% - 142 hacking incidents (25% increase from 2016) 10% of incidents in 2012 25% - 85 email breaches (60% increase from 2016) 10% in 2012 29% - 55 breaches from lost or stolen devices (78 in 2016) 40% in 2012
HIPAA HISTORY In the past small entities have mostly ignored HIPAA Didn t understand HIPAA Cost too much for a consultant Took too much time Not much electronic data Not much hacking Not so many breaches Not so many audits Not so many fines HIPAA can no longer be ignored!
WHAT CMS SAYS ABOUT HIPAA The Security Risk Analysis is NOT optional for small providers Simply installing a certified EHR DOES NOT fulfill the security risk analysis MU requirement Your EHR vendor DOES NOT take care of everything needed to do about privacy and security A checklist DOES NOT suffice for the risk analysis requirement The risk analysis needs to be performed annually The security risk analysis needs to look at not just the EHR, but your whole IT infrastructure It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional
WHICH ITEMS NEED TO BE DOCUMENTED? (Or it didn t happen!) Security Risk Analysis (and associated Work Plan or Gap Analysis) Policies and Procedures Employee Training Documentation
POLICIES & PROCEDURES DOCUMENTATION Every practice needs policies and procedures for both HIPAA Privacy and Security Rules These can be obtained from a variety of sources, and should be inexpensive Someone at your practice needs to be responsible for enforcing these Policies & Procedures (Compliance / Security / Privacy Officer)
DOCUMENT, DOCUMENT, DOCUMENT! Understand that you are not HIPAA compliant if you have not documented it You can only withstand an audit through proper documentation This includes a strong Security Risk Analysis Practices have received large fines for lack of documentation What should be documented: Security Risk Analysis Gap Analysis Policies / Procedures Training Media Disposal Security Incidents Computer Log Reviews
ELEMENTS Threat Vulnerability Statement Existing Controls Risk (color code) Control Effectiveness Likelihood Impact Overall Risk Rating Additional Considerations Work Plan Updates Due Date Responsibility
DOCUMENT
DOCUMENT
DOCUMENT
ANNUAL TRAINING Employees must be trained on HIPAA before they start work in your practice All other employees must be trained annually Third parties can provide HIPAA Educational services Keep records of training!
WHERE DO I GO FROM HERE? You have to start somewhere! Ensure you have a Privacy / Security Officer! In-House HHS (Health and Human Services) / OCR (Office of Civil Rights) Tool EHR Vendor may offer service for a fee Healthcare Attorney May also utilize Healthcare IT group Experienced Third Party
IN SUMMARY Security Risk Analysis Audits are no longer limited to MU Protect your practice and your investment utilize professional service tools for your SRA. Sleep soundly at night!
Thank You Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS Kathryn.Wickenhauser@DataFileTechnologies.com Twitter: @KAWickenhauser bit.ly/kawresource