The Department of Health and Human Services Office of Civil Rights (OCR) is currently engaged in its second round of HIPAA audits. At the same time the Centers for Medicare & Medicaid Services (CMS) is conducting its own Meaningful Use Audits. Having conducted a comprehensive Security Risk Analysis is a key component to passing each of these audits.
The requirement that health care providers conduct a Security Risk Analysis was first mandated by the HIPAA Security Standards which became effective in 2005. In guidance issued in 2010, OCR described the purpose and importance of the Security Risk Analysis as follows:
“The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”
When OCR conducted its HIPAA audit pilot program in 2012, it was determined that nearly two-thirds of audited covered entities had not conducted a Security Risk Analysis. As a result of this finding, the Security Risk Analysis has become a central component of OCR’s current HIPAA audit protocol. By way of example, in September of this year, OCR announced that it had reached a settlement with a 13 physician group practice based on the group’s failure to conduct a Security Risk Analysis. As part of the settlement, the group will pay $750,000 and be required to complete a “robust” corrective action plan.
The Security Risk Analysis is also an important component of attesting to Meaningful Use under the Medicare EHR Incentive Program administered by CMS. Eligible providers who attested to Meaningful Use early in the program have been eligible to receive significant financial incentives from CMS in recent years. Now, attesting to Meaningful Use has become necessary to ward off reductions in Medicare payments.
As part of completing the Meaningful Use attestation, eligible providers must attest that a Security Risk Analysis has been conducted in the prior year. Should this attestation prove false, all funds received under the EHR Incentive Program must be returned. Furthermore, the knowing submission of a false Meaningful Use attestation could be grounds for a violation of the False Claims Act, which carries significant additional penalties.
What To Do
In light of these risks it is crucial that all health care providers devote the time and resources necessary to conduct a comprehensive Security Risk Analysis to root out their unique risks and vulnerabilities. While the process may appear daunting, your Houston Harbaugh attorneys are here to assist you. If you have any questions or would like to discuss how we can help you with your Security Risk Analysis, contact any member of the Health Care Law Practice.