Takeaways: Yet another notice that HIPAA enforcement and liability is not something to keep putting off until later. The web of liability means it is no longer just yourself you have to worry about being caught up in audits or breaches.
And the hits just keep on coming! She says dripping with sarcasm….. If you have not had the time to experience the riveting read Office of Inspector General Work Plan Fiscal Year 2015, you may not be missing a bestseller but there is information many of you should make note of when planning your 2015 HIPAA budget and projects. Yes, I said budget and projects.
Here is a section with information to note, Systems and Information Security in Appendix B—Recovery Act Reviews, Page 75 under Security of certified electronic health record technology under meaningful use:
We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology. A core meaningful-use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities. To meet and measure this objective, eligible hospitals, including critical access hospitals, must conduct a security risk analysis of certified EHR technology as defined in Federal regulations and use the capabilities and standards of Certified Electronic Health Record Technology. Furthermore, business associates that transmit, process, and store EHRs for Medicare and Medicaid providers are playing a larger role in the protection of electronic health information. Therefore, audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements.
So, if you or your clients received EHR incentive payments the OIG may be performing a random security audit on your client, your business, or both. The point that is most important is this notice mentions specifically a security risk analysis of certified EHR technology. We are building our own document library of EHR security features and options that should be set for security. The fact that we are building our own means we are not encountering many cases where we don’t need to provide the information to the CE. Yes, they are thrilled we have it but….. we aren’t supposed to be doing their first analysis. Just sayin’…..
So the OIG may come knocking and we are getting more details on the OCR audits for 2015, too. The part I point out to many of our BA clients is they aren’t kidding when they say they are going to audit you too. 50 security audits are planned for BAs. 35 of those will be IT Related companies. So, maybe it isn’t the hits that keep on coming after all. Maybe I should say the HINTS just keep on coming.
OK, so you say the chances of being selected in these random things is statistically very low. I love numbers and totally agree with that point. But, the chances of you getting audited aren’t what you should be worrying about. You should be worrying about is:
- Having a breach and getting that call about your investigation requirements (see They Want What?!)
- Any of your BAs getting audited or investigated and doing a face plant right in front of OCR (as demonstrated below). How will that reflect on your compliance level? How will you quickly replace them?
- Knowing you had plenty of time to attempt to catch up and kept putting it off. The longer it takes for something to happen the worse it will look when it does.