The Department of Health and Human Services Office of Civil Rights (OCR) is currently engaged in its second round of HIPAA audits. At the same time the Centers for Medicare & Medicaid Services (CMS) is conducting its own Meaningful Use Audits. Having conducted a comprehensive Security Risk Analysis is a key component to passing each of these audits.
The requirement that health care providers conduct a Security Risk Analysis was first mandated by the HIPAA Security Standards which became effective in 2005. In guidance issued in 2010, OCR described the purpose and importance of the Security Risk Analysis as follows:
“The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”
When OCR conducted its HIPAA audit pilot program in 2012, it was determined that nearly two-thirds of audited covered entities had not conducted a Security Risk Analysis. As a result of this finding, the Security Risk Analysis has become a central component of OCR’s current HIPAA audit protocol. By way of example, in September of this year, OCR announced that it had reached a settlement with a 13 physician group practice based on the group’s failure to conduct a Security Risk Analysis. As part of the settlement, the group will pay $750,000 and be required to complete a “robust” corrective action plan.
The Security Risk Analysis is also an important component of attesting to Meaningful Use under the Medicare EHR Incentive Program administered by CMS. Eligible providers who attested to Meaningful Use early in the program have been eligible to receive significant financial incentives from CMS in recent years. Now, attesting to Meaningful Use has become necessary to ward off reductions in Medicare payments.
As part of completing the Meaningful Use attestation, eligible providers must attest that a Security Risk Analysis has been conducted in the prior year. Should this attestation prove false, all funds received under the EHR Incentive Program must be returned. Furthermore, the knowing submission of a false Meaningful Use attestation could be grounds for a violation of the False Claims Act, which carries significant additional penalties.
What To Do
In light of these risks it is crucial that all health care providers devote the time and resources necessary to conduct a comprehensive Security Risk Analysis to root out their unique risks and vulnerabilities. While the process may appear daunting, your Houston Harbaugh attorneys are here to assist you. If you have any questions or would like to discuss how we can help you with your Security Risk Analysis, contact any member of the Health Care Law Practice.
In order to navigate the complicated and ever-changing laws surrounding health care and your business, you need attorneys who understand your challenges. The Pittsburgh health care lawyers at Houston Harbaugh, P.C., have the knowledge and experience to help you manage everyday issues, as well as plan for the future.
Jessica A. Ellel - Practice Chair
Chair of Houston Harbaugh’s Health Law Practice, Jessica works almost exclusively with health care entities and health practitioners. She has extensive experience with:
- Drafting and negotiating physician employment agreements from both the physician and employer perspectives
- Negotiating contracts between physicians and hospitals
- Preparing purchase agreements to govern the sale of medical practices
- Advising on corporate governance issues, from practice formation to dissolution
- Developing comprehensive compliance plans for physician practices, hospitals, third-party billing administrators, and other health care and related entities
- Organizing strategies for compliance with fraud and abuse laws
- Addressing HIPAA compliance
Jessica is especially well-versed in HIPAA compliance and authors numerous client updates and bulletins on the subject. She conducts on-site and remote HIPAA training and also maintains Houston Harbaugh’s HIPAA compliance manual, ” Federal HIPAA Privacy Standards Simplified: A Comprehensive Tool-Kit”.