Executives & Privacy/Compliance Officers

Compliance and privacy officers have a range of responsibilities, pertaining to EHR.  Firms face steep penalties for infractions of federal regulations, especially in the case of data breaches.

  • Officers must monitor HIPAA requirements to ensure the organization is not in violation: Our HIPAA/HITECH Compliance Assurance  provides an independent evaluation of your operation.
  • We offer Toolkits to help prepare legal documents and educate managers / department heads for implementation of Meaningful Use.
  • For those working with outside firms/contractors, our Business Associate Assurance is advised for prior verification.
  • Officers must maintain records of employee activities and training, along with any technical difficulties.  For these concerns firms often consult with an OCR Audit Advisory Services for an appraisal.
  • To protect confidentiality and integrity of protected health information (PHI), EHR 2.0 offers to Encrypt Patient Data.

If at all unsure about what constitutes a data breach, or the requirements thereafter, please review our Webinar on the subject.

Healthcare organizations should have an administrator designated as Chief Information Officer, to oversee implementation of HIT.  A range of experience is needed to match technology with needs of the organization.  Many firms also task this executive with the responsibilities of privacy / compliance officer, so our services for this role often apply to the Chief Information Officer as well.

  • A top priority should be to identify key vulnerabilities, and Risk Analysis for Meaningful Use is required for all covered entities who receive CMS EHR incentive payments.
  • To protect confidentiality and integrity of PHI, EHR 2.0 offers to Encrypt Patient Data.
  • A component of HIPAA and generally recommended practice for all firms is the creation a disaster recovery/business continuity plan.  Please contact us to arrange consulting.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

HIPAA Security Rule requires three types of safeguards:
– Administrative – appointed officers, contingency plans
– Identify which employees need to access PHI and disable all others from doing so.
– Physical – locks, surveillance, environmental hazard control
– Technical – security software, employee policies

Before adopting EHR a practice needs to make sure it can cover the initial investment, including equipment / software cost and staff training. There is often lost production initially, as the staff gets adjusted to new procedures. When selecting an EHR system the firm should consider what functions will be required.

All staff must receive training upon joining the practice, then annually thereafter, covering HIPAA / HITECH regulations along with security and privacy best practices.

A data breach involves any improper access of PHI, including hacked files, unsecured stolen equipment, or disclosure to the wrong individual. Any effected patients must be notified within 60 days of the occurrence. If the breach affects 500 or more individuals the practice must also notify the media and HHS secretary. The practice must maintain records / documentation of all breach notifications. Also a Risk Assessment is required in the event of any breach to evaluate the extent of potential losses.

All computers must have security software installed before processing PHI, including firewalls, anti-malware, automatic updates, and encryption.

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html
To be eligible for CMS Meaningful Use incentive payments a healthcare practice must meet the above requirements. There are three stages planned through the year 2016, with escalating requirements each time.

States have different records retention requirements; as a rule of thumb records must be kept for at least 7 years after the visit – other stipulations may apply, such as pertaining to civil, criminal, administrative proceedings.

Staff needs to know the procedures for disaster recovery, including long-term backup / archive considerations. Backups need to be generated on an ongoing basis and kept offsite, if possible.

Data breaches – staff members are the weakest link, and training is the most important step, assuming admin has properly installed and configured technology.
A Security Risk Assessment is required annually to receive Meaningful Use incentive payments. The practice needs to prove RA was performed and provide reassurance they are fixing any vulnerabilities. Even if not participating in CMS Meaningful Use program annual RA is advised for any firm using EHR to proactively prevent a data breach. RA is either handled internally or by bringing in a consultant. Participating in CMS or not, an RA is required in the event of any data breach.

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdfNIST guide for RA.

RA should go beyond what is legally required, including network / perimeter security, firewalls, and penetration testing (hiring an outside firm to see if they can breach the system).

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf
Before any device is discarded, data must be sanitized carefully, even when encrypted

Healthcare providers often enlist the service of Business Associates to perform services on their behalf. By using a BA the healthcare practice may not need to hire certain staff, which saves time and cost. Also the BA usually assumes responsibility for any errors / data breach that occurs instead of the practice. There must be a signed contract or agreement in place before services are performed by any Business Associate, outlining which services and responsibilities are accepted by the associate. Managers need to notify the IT department when a BA no longer needs access to PHI.

Any social media profile maintained the company must comply with HIPAA regulations by not making any unauthorized disclosure of patient details. The company should also monitor employees’ social media for violations or anything that may bring bad publicity.