Healthcare Advisor: Compliance with HIPAA’s Security Rule Assessment Requirements

August 20, 2015 by Ira Bedenbaugh

The digital revolution that has taken place in healthcare over the past two decades has done more than reduce mountains of paper files into compact data bases. While increased efficiencies in documenting patient care through electronic recordkeeping have been achieved, healthcare practices and hospitals, including all business partners with access to electronic records, must strictly comply with growing regulations designed to address privacy and security concerns related to a patient’s protected health information (PHI).

The passage and adoption of the Health Insurance Portability and Accountability Act in 1996 made the acronym HIPAA a familiar term that became part of everyday conversations regarding healthcare. HIPAA’s Privacy Act provision served as a major step toward limiting access to a patient’s medical records, and the Privacy Act became a significant point of consideration in the early 2000s with the advent of electronic recordkeeping.

In 2003, the Department of Health and Human Services published the HIPAA Security Rule which introduced specific guidelines and regulations that required entities to put in place “appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.” The Security Rule became effective in April of 2006 and serves as a companion to the Privacy Rule focusing on shielding electronic protected health information (ePHI). Navigating these requirements can be challenging.

Impact of Government Subsidies and the Introduction of Meaningful Use

The transition to electronic health records received a significant boost in 2009 when the federal government set aside over $20 billion in the American Recovery and Reinvestment Act to encourage healthcare providers to convert paper files to an electronic platform. In order to qualify for the federal funding to facilitate the conversion to electronic records, healthcare providers had to comply with the Meaningful Use criteria set by the Centers for Medicare & Medicaid Services.

The criteria for Stage One of Meaningful Use included requiring healthcare providers to perform a Health Insurance Portability and Accountability Act (HIPAA) Security Rule assessment. The vast majority of covered entities found themselves asking: What is a Security Rule assessment and who can perform a Security Rule assessment? The reality is that the assessments have been a requirement for all covered entities working with electronic protected health information (ePHI) since the enactment of the Security Rule in 2006.

Following a Freedom of Information Act (FOI) request in 2014, the results from audits by the Centers for Medicare and Medicaid Services showed an alarming and costly trend regarding the level of Security Rule assessment programs within hospitals and private practices. The audit results of the data provided by Health & Human Services (HHS) revealed the following: Of the nearly 5,900 pre-payment audits, 21.5 percent of eligible providers did not meet Meaningful Use standards. Nearly a third of the failures from those below standard performers could be traced to the fact that the providers had not utilized proper security measures. Furthermore, the HHS report showed that nearly 93 percent of those failing had not met the Meaningful Use objectives and associated measures.

The financial implications found with the FOI release underlined the serious impact that a sub-standard ePHI program can have on a practice or hospital. Examining the area of post-payment audits, 24 percent of practices audited failed to meet Meaningful Use standards. Of the 4,600 practices audited, those failures resulted in proposed returned incentive payments averaging just over $16,800. While the failure rate was smaller on the hospital side of post-payment audits noted, the cost of the proposed returned incentive payments averaged more than $1.1 million per hospital.

According to recent reports, the Office of Civil Rights (the agency charged with enforcement of HIPAA and the Security Rule) will be expanding the number of audits performed over the next two years. Given the number of providers which have accepted federal money to establish their electronic health record systems, the broader (and more important) question becomes the following: How many entities working with any sort of electronic healthcare information have conducted a Security Rule assessment? While there has been an understandable focus on healthcare providers and compliance programs, the Security Rule applies to all entities working with ePHI. In addition to covered entities, business associates such as billing services, cloud based software companies, attorneys, accountants and a myriad of others are subject to the Security Rule.

Components of the Security Rule & Security Rule Safeguards

The Security Rule focuses on the availability, confidentiality and integrity of ePHI. Rooted in risk analysis and risk mitigation, the Security Rule seeks to identify threats and vulnerabilities within a healthcare practice that could lead to a breach within the electronic health records of the covered entity. The rule places an emphasis on risk mitigation and was designed to be scalable, reasonable and technology neutral – meaning it can adapt with the development of the advancements in electronic recordkeeping.

The Security Rule has in place 41 safeguards in the areas of administrative, physical and technical. There are 21 administrative safeguards that focus on policies and procedures, risk analysis, staff access and security awareness training. In addition, the Security Rule has established 11 physical safeguards centered on facility access and security as well as workstation use and security. There are nine technical safeguards surrounding encryption and decryption of hardware and the transmission of ePHI, as well as disposal of hardware that contained ePHI.

Meeting the requirements of Security Rule Safeguards can potentially stress the IT resources of most healthcare practices beyond their limits. Even hospitals can find facilitating all aspects of Security Rule Safeguards to be quite challenging. Compliance with the Security Rule and meeting the criteria established by the Security Rule Safeguards are not negotiable. Violations that are discovered either through audits performed by the Office of Civil Rights or the investigation of data breaches by the Office of Civil Rights could result in sizable fines, including federal penalties in excess of $1 million.

The Value of Utilizing of an Objective, Third-Party for Security Rule Assessments

A hospital IT department may have the traditional hospital assessment well under control. But the challenge is IT resources. As hospitals expand locations and acquire physician practices in ever larger numbers, the environment begins to change dramatically. Increasingly, healthcare providers and hospitals are engaging third-party resources to conduct periodic HIPAA Security Rule assessments, particularly in offices and remote locations.

A thorough risk assessment examines all threats to a healthcare organization. The threats can take the form of physical, environmental and human threats. Additionally, a thorough risk assessment would identify vulnerabilities that, if exploited by a threat, could result in a breach. Vulnerabilities could include IT hardware, software applications, password management, contingency planning, staff training and policies and procedures.

The complexities associated with the Security Rule may prompt some healthcare providers to keep their paper files and shun the use of electronic health records. However, even practices which still utilize paper charts as their primary recordkeeping systems may still be subject to the Security Rule. Financial records or demographic information regarding patients that are stored in an electronic format are subject to the Security Rule.

Though some healthcare providers may continue to hold out before fully embracing the digital age, electronic health records in some form touch practically every healthcare provider in the nation. Having a proactive assessment program that allows a healthcare entity to meet all of the standards outlined by the Security Rule is a must in today’s highly competitive medical services field

We Can Help!

Navigating the requirements outlined by the Security Rule demands proven expertise. At Elliott Davis Decosimo, our approach is to examine threats to the healthcare entity, vulnerabilities within the healthcare entity and the entity’s compliance with the Security Rule safeguards. We can then provide the healthcare entity with a measure of risk associated with operations based upon compliance or non-compliance. This level of risk provides the organization with a road map of how to mitigate their risk exposure by identifying areas of high, medium and low risk. This roadmap allows the entity engaging the Security Rule assessment to properly allocate IT resources to mitigate its risk exposure.

To learn more about how we can assist with HIPAA and your Security Rule needs, please contact a member of the Elliott Davis Decosimo healthcare team at 866-417-4059.