Both the HIPAA Security Rule and Meaningful Use (MU) regulations require a practice to conduct an annual Risk Analysis, take corrective action with identified issues and document  the analysis and the corrective action, both system changes and procedures. There is a technical and a managerial element to the Annual Risk Analysis.

The HIPAA requirement has been in effect for 5 years, the MU regulation is relatively new. If you are in compliance with the HIPAA Security Rule, you will meet the Risk Analysis requirement for MU.

OCR (Office for Civil Rights) has already conducted some audits of healthcare organizations as a result of a breach where the circumstances reported seemed to indicate that adequate technical and administrative precautions were not in place. In 2012 programmed audits will begin to look at overall compliance of organizations selected.

Obtaining specific input from an IT Professional is a critical piece of your annual Risk Assessment.

Practices must depend on their Information Technology (IT) professionals to perform the technical review for the areas or systems they service. Your IT professional may be on your staff if you have a large practice and/or may be one or more vendors or companies who provide help on a continuing basis.

• You may use an IT company that handles your PC’s, servers and system integration maintenance.
• You may also use a practice management system that is maintained and serviced by the vendor who installed it.
• You may have an IT person on staff as well.
• Almost always there are multiple players who support your technology environment whether large or small.

Ask all of your IT professionals for a Risk Assessment on the system they provide or service to help you meet the technical part of the analysis. The vendor must be knowledgeable on HIPAA as well as meaningful use regulations. Be sure they address the HIPAA requirement for a violation, and vulnerability as it relates to a breach. (You can have a breach without being in violation of the HIPAA Security Rule.) They can then tell you the issues and discuss with you the possible solutions, which need to be documented as well.

Few system environments, if any, will be absolutely secure. You just need to understand the issues and risks so you can make an informed management decision as to the type of corrective action or protective steps to take.

As the manager, you can and must ask your IT professional specific critical questions that will prompt the appropriate review by them. The ultimate responsibility of compliance with all of the regulations rests with the practice so you must know and document the specifics. General comments that your systems are compliant are not sufficient to meet this test.

The TMC HIPAA Annual Risk Analysis document includes those critical questions that must be answered for the manager. You want to be sure any system you own, run or purchase keeps you compliant with regulations. The IT person should know the HIPAA requirements and be able to vouch for the system they are providing.

The IT professional that provides your general service- fixing technical problems, integrating systems and processes, etc.- must be prepared to proactively alert you to issues you may never even know exist. Examples: (1) You have a scanner and fax machine that retains all data on a hard drive that is not encrypted and cannot be encrypted.  (2) When you ship a server to be repaired there is a risk because the data is not encrypted. (3) The system you are about to purchase cannot be encrypted. (4) The thumb drives in use are not encrypted and cannot be. (5) Your wireless system in place can be easily accessed and potentially could expose your patient data.

You can then make informed management decisions as to what must be corrected and what cannot be corrected immediately. Then you must take extra precautions to reduce the risk in some other way.

Total Medical Compliance can provide the assistance you need to ask the right questions, document the information as required by regulation, determine the level of risk by working with you and your IT professional and help you formulate management solutions.

Working with IT professionals that understand the technology that is acceptable under HIPAA is the other critical element. Be sure your IT professional has a deep understanding of HIPAA and the latest HITECH requirements. Do they have a written program in place for their organization? This is a requirement under the new regulations. See the TMC Business Partners page on our website to see those companies with HIPAA Programs provided by TMC. www.TotalMedicalCompliance.com.

Don’t wait until you have a breach or you receive notice from OCR that you have been selected for an audit. Waiting could be costly for your practice.

Read more in the September issue of the TMC Advisor, a monthly compliance newsletter.