Electronic health records (EHRs) provide many benefits to providers as well as their patients; however the true value of these benefits depends on how the records are used. Meaningful Use Standards govern the use of EHRs and allow eligible providers to earn incentive payments if they meet specific criteria.
Meaningful Use requires that patient data is protected; protecting patient information is much like protecting patient safety—it must be done continually. Do you allow needles to be shared between patients? Do you touch your patients without washing your hands first or without wearing gloves? Absolutely not—and chances are, you probably don’t even have to think about this; these things are habitual for you.
Companies want to be HIPAA compliant, yet they don’t know the rules. Many think that becoming HIPAA compliant is something that takes a day or two, by simply taking an online course or signing some forms; and that after doing this, they can return to doing things the way they used to. This thinking couldn’t be farther from the truth.
HIPAA Compliant Changes
To become HIPAA compliant your daily practice operations will likely require a significant number of changes.
HIPAA compliant changes may involve:
- The way you train and document the training for your current staff and new employees.
- Hiring an IT professional to provide Managed Services to monitor and maintain your network.
- Paying for email, because free mail services aren’t secure and shouldn’t be used to send patient information.
- Not sharing employee logins and passwords.
- Upgrades to your computers and network devices to protect patient data.
- Regular reviews of access to your system to ensure only authorized staff are able to view patient records.
- Documenting your activities to prepare for an audit or data-breach investigation.
- Monitoring your employees’ activities and conducting internal compliance audits.
- Enforcing privacy regulations the same way you enforce rules regarding patient safety.
- Automatic logoff to ensure unauthorized users can’t access patient data.
- Risk Analysis performed by a certified professional who assists with your compliance program.
The federal government currently performs pre-audits before making incentive payments, as well as audits after incentive payments are made for the Meaningful Use of Electronic Health Records Systems. This requires HIPAA compliance as part of the HITECH Act, as well as a Security Risk Analysis. During the 90-day Meaningful Use reporting period, you must remediate any problems.
Both physicians and practice managers are usually surprised when the Risk Analysis exposes that they’re not complying with HIPAA. They often ask why HIPAA has anything to do with Meaningful Use, or wonder why they only have 90 days to comply; when they should have been HIPAA compliant since 2005.
Some practices have attested the ruling and received their incentive payments even though they performed a Core Measure 15 Security Risk Analysis. Many people have been caught by audits, which resulted in the return of their funds. Practices also risk enforcement through the Federal False Claims Act, or in extreme situations, criminal Medicare fraud prosecutions.
While many people seem to think that being HIPAA compliant is expensive, a hospital that had to pay a $1.5 million fine probably doesn’t think it’s so expensive now. Neither do the many practices that had to return their 2012 incentive payments of $12,000 or $18,000 once they failed an audit because they hadn’t done a Security Risk Analysis.
Becoming HIPAA Compliant
By having a Security Risk Analysis done as soon as possible, you’ll have more time to address any issues with HIPAA compliance. By hiring an IT professional to audit your practice you’ll get a third-party review methodology similar to a federal audit or investigation, so you know you’ll pass a federal audit when it occurs. It’s a good idea to obtain an independent review of your practice or business by professionals who understand IT security and compliance.
The Office of the National Coordinator (ONC) administers the EHR Incentive Program and advises doing a thorough and professional risk analysis that will stand up to a compliance review. This requires expert knowledge obtained from an experienced outside IT compliance professional.
Get a Security Risk Analysis done by a qualified professional as soon as possible; whether your motive is to protect patient data, abide by the law, or keep the incentive money for implementing an EHR system.
Otherwise, don’t attest and receive the incentive money, because chances are, you’ll be audited or investigated for a HIPAA violation. Remember that patient data is sacred and private, which is exactly why being HIPAA compliant is the right thing to do.
Have questions about HIPAA compliance and medical IT services? Call us today, we are your trusted IT support professionals.