One the most challenging areas facing healthcare organizations today is the decision to adopt an electronic health records system. This decision involves significant financial resources and time commitment in transferring data, becoming familiar with the system and other issues. An essential element in reviewing vendor proposals and determining how to implement an EMR system is an analysis of how well the system protects health records and the sensitive personal information in those records against unauthorized use and disclosures, including theft. In this age of global exchange of information, unauthorized disclosure extends beyond inadvertent access to information all the way to intentional access by well-organized criminal enterprises. Failure to conduct risk assessments and to ensure that your EMR system is protected from intentional or inadvertent disclosure can be an area of potential civil and criminal liability for covered entities and business associates, regardless of the size of the enterprise. Moreover, if your organization wishes to qualify for federal stimulus money under the Medicare or Medicaid EMR programs, it is essential that you comply with the meaningful use requirements discussed in more detail below. This article is intended to offer a few broad suggestions that may prove helpful in conducting a risk assessment that will help avoid potential liability and assist in qualifying for government stimulus assistance in purchasing an EMR system.
It is certainly no secret that there has been a wave of activity across the country concerning the adoption of electronic health records systems. Terms such as "EMR," "EHR," "interoperability" and "implementation schedule" are tossed about on a daily basis, like so many tennis balls. For many healthcare providers, the ability to implement electronic information systems that will ultimately help them to better manage their patients, while at the same time qualifying for federal stimulus dollars to offset the cost of such EMR programs is an attractive prospect. However, to comply with federal law and qualify for such government monies the provider must comply with a set of criteria called "meaningful use" criteria.[1]
Meaningful use criteria
Meaningful use criteria refers to a set of criteria adopted by the federal government that a provider must meet to prove that they are using their EMR in an effective manner in their practice. Instead of requiring that all meaningful use criteria be adopted at once, the government divided the level of adoption into five one-year increments. Each stage requires that a provider demonstrate a certain level of adoption of electronic medical records that results in functionality and exchange of information. During stage one, providers must comply with 20 mandatory requirements and must chose five other criteria from a menu of fifteen 15 additional criteria to qualify for federal stimulus dollars. This article focuses on one of the stage one mandatory meaningful use criterion — the requirement that the provider perform a security risk analysis — that can be a land mine for a healthcare organization. Despite the rush to adopt EMR systems, many organizations do not know what a security risk assessment means or how to conduct such an assessment. Failure to comply with this requirement not only disqualifies a provider to federal incentive money but can result in costly civil and criminal penalties, corrective action plans and valuable time taken away from revenue-producing patient care activities if a HIPAA complaint is made against the provider.
Security risk assessment defined
Under the Health Information Technology for Economic and Clinical Health Act, [2] "meaningful use" means that healthcare providers and organizations must:
In our practice, we have observed that many healthcare providers and organizations do not know how to perform a security risk analysis and do not even know what those terms mean. Moreover, in many instances, providers do not understand the risk of failing to perform a risk analysis. As explained above, and as many providers have learned recently this failure can be costly, not only in the loss of federal stimulus dollars, but also in the potential subjection to fines and penalties.
Imagine a scenario in which an unauthorized person or entity obtains access to a provider's electronic records and that breach becomes known (since breaches of unencrypted information must be reported, this is almost a certainty). A recent example may be found in the case of BlueCross BlueShield of Tennessee, which was recently fined $1.5 million as the result of an OCR breach investigation. In that case, fifty seven unencrypted computer hard drives containing PHI of over a million individuals were stolen from a leased facility. As required by law, BlueCross notified the Office of Civil Rights, which conducted an investigation and concluded that BCBS failed to implement appropriate safeguards to adequately protect PHI at the leased facility. Such fines are not limited to large organizations. In the case of Phoenix Cardiac Surgery Group, a small (five person) medical group paid $100,000 in fines to settle a HIPAA violation where the group failed to conduct a risk analysis, among other HIPAA violations.
If a customer, client or patient makes a HIPAA-related complaint, is likely that your organization will be contacted by the federal agency that enforces HIPAA — the Office of Civil Rights of HHS. Representatives of that office will conduct an investigation that will review your policies and procedures concerning risk assessment and risk management, determine whether the organization has conducted initial and ongoing training, and assess the likelihood and potential of unauthorized records access. Only by testing your EMR system and conducting a risk analysis can an organization determine its areas of vulnerability and the likelihood that a person or entity which should not have access to protected health information can access that information.
There are many different methods for conducting a risk assessment or threat analysis, and there is no single "best" method. Regardless of the method you employ, all risk analyses must include certain basic elements which are described below. Risk assessment is not a one-time event but a process of continuous reevaluation to ensure that you are prepared for and anticipating potential threats to the security of your EMR system and continue to have appropriate security measures in place. You should conduct an assessment when you acquire EMR, when you make any changes or additions in programs, technologies or business plans and update it at regular intervals and as you become aware of potential threats and vulnerabilities. Make sure to document every stage of the assessment. Your documentation should have three types of information: types of threats; situations in which they may occur and potential causes, likelihood and potential impact; and an assessment of the effectiveness of current security measures.
9 Basic elements of a risk assessment
Below are the nine basic elements of a risk assessment.
The risk management team should then prepare a remediation action plan that ranks the threats and deficiencies in order of importance. List the most serious deficiencies and areas of high risk and address those first. As part of the same process, the risk management team should discuss, develop and implement a plan for an ongoing risk management process. The risk management process should include regularly scheduled reviews of remediation steps, periodic and regular re-assessments, documentation of incidents, responsibility for implementation and follow-up of remediation efforts, documentation of training, and other vital management items.
Getting expert advice
Regardless of who prepares your HIPAA policies and procedures, it is essential that you work with a specialist to advise you on risk assessment and risk management and help design, guide and implement the risk assessment and remediation process. Large healthccare systems have in-house specialists. Smaller providers would be well advised to ensure that they consult with someone who is well versed in HIPAA law and knows data security and IT hardware and software and can advise them on issues such as encryption, levels of security and access, ways to test whether outsiders can penetrate their system and methods for limiting internal access. Even a work force member who may have authorized access for one purpose should not be able to access data for another, unauthorized, purpose.
Here are some questions to ask when evaluating a consultant:
One final issue to bear in mind is that if you want to apply for federal financial assistance for an EMR system, the provider or healthcare organization must attest that they have met the meaningful use criteria, including the risk assessment requirement. As always, be careful when making an attestation to the federal government. Providers and healthcare organizations are subject to serious civil and criminal fines and sanctions under federal law for making false claims to the federal government, including potential liability under the federal False Claims Act for presenting a false or fraudulent claim to the federal government. [3]
Well-run healthcare businesses recognize that managing EMR and PHI is much more than an IT project and requires the involvement of the entire workforce as well as the use of properly trained specialists. Workforce members must be properly trained and must comply with the organizations policies and procedures and with federal law and regulations. Consultants and specialists can be useful in recognizing gaps that in-house work force members may not recognize and coming up with potential solutions that are effective and efficient.
Carol Scott, Esq., is of counsel to the firm of Fenton Nelson LLP, a Los Angeles law firm that specializes in healthcare law and compliance. Ms. Scott is an expert in HIPAA and HITECH compliance and confidentiality of medical information and advises healthcare providers on all aspects of health care regulation and law. For more information, contact cscott@fentonnelson.com or call (310) 444-5244.
Mike Humason, is director of healthcare solutions at Micro Solutions (www.micro-sol.com), an IT consulting and infrastructure provider with a specialized focus in healthcare, including expertise in EHR systems, privacy and security matters (HIPAA and HITECH compliance), IT infrastructure, archival, encryption and disaster recovery. A highly expert team is available to conduct a wide range of audits, including for HIPAA/HITECH compliance, IT security, PCI, DEA and others, and to provide assistance in remediation efforts. For more information, contact at healthcare@micro-sol.com or call (805) 375-5650.
Footnotes:
[1] The Health Information Technology for Economic and Clinical Health Act provides HHS with the authority to establish programs to improve healthcare quality, safety and efficiency through the promotion of health information technology, including electronic health records and private and secure electronic health information exchange.
Under HITECH, eligible health care professionals and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to achieve specified objectives.
[2] 42 USC 1320d-5
[3] 31 U.S.C. §§ 3729 – 3733.
More Articles on Security Audits:
It is certainly no secret that there has been a wave of activity across the country concerning the adoption of electronic health records systems. Terms such as "EMR," "EHR," "interoperability" and "implementation schedule" are tossed about on a daily basis, like so many tennis balls. For many healthcare providers, the ability to implement electronic information systems that will ultimately help them to better manage their patients, while at the same time qualifying for federal stimulus dollars to offset the cost of such EMR programs is an attractive prospect. However, to comply with federal law and qualify for such government monies the provider must comply with a set of criteria called "meaningful use" criteria.[1]
Meaningful use criteria
Meaningful use criteria refers to a set of criteria adopted by the federal government that a provider must meet to prove that they are using their EMR in an effective manner in their practice. Instead of requiring that all meaningful use criteria be adopted at once, the government divided the level of adoption into five one-year increments. Each stage requires that a provider demonstrate a certain level of adoption of electronic medical records that results in functionality and exchange of information. During stage one, providers must comply with 20 mandatory requirements and must chose five other criteria from a menu of fifteen 15 additional criteria to qualify for federal stimulus dollars. This article focuses on one of the stage one mandatory meaningful use criterion — the requirement that the provider perform a security risk analysis — that can be a land mine for a healthcare organization. Despite the rush to adopt EMR systems, many organizations do not know what a security risk assessment means or how to conduct such an assessment. Failure to comply with this requirement not only disqualifies a provider to federal incentive money but can result in costly civil and criminal penalties, corrective action plans and valuable time taken away from revenue-producing patient care activities if a HIPAA complaint is made against the provider.
Security risk assessment defined
Under the Health Information Technology for Economic and Clinical Health Act, [2] "meaningful use" means that healthcare providers and organizations must:
- Perform a security risk analysis in accordance with the requirements of 45 CFR 164.308(a)(1). A security risk analysis means that you must identify the potential risks and vulnerabilities to the confidentiality, availability and integrity of all electronic personal health information that your organization creates, receives, maintains or transmits.
- Implement security updates as necessary and correct identified security deficiencies as part of the risk management process.
In our practice, we have observed that many healthcare providers and organizations do not know how to perform a security risk analysis and do not even know what those terms mean. Moreover, in many instances, providers do not understand the risk of failing to perform a risk analysis. As explained above, and as many providers have learned recently this failure can be costly, not only in the loss of federal stimulus dollars, but also in the potential subjection to fines and penalties.
Imagine a scenario in which an unauthorized person or entity obtains access to a provider's electronic records and that breach becomes known (since breaches of unencrypted information must be reported, this is almost a certainty). A recent example may be found in the case of BlueCross BlueShield of Tennessee, which was recently fined $1.5 million as the result of an OCR breach investigation. In that case, fifty seven unencrypted computer hard drives containing PHI of over a million individuals were stolen from a leased facility. As required by law, BlueCross notified the Office of Civil Rights, which conducted an investigation and concluded that BCBS failed to implement appropriate safeguards to adequately protect PHI at the leased facility. Such fines are not limited to large organizations. In the case of Phoenix Cardiac Surgery Group, a small (five person) medical group paid $100,000 in fines to settle a HIPAA violation where the group failed to conduct a risk analysis, among other HIPAA violations.
If a customer, client or patient makes a HIPAA-related complaint, is likely that your organization will be contacted by the federal agency that enforces HIPAA — the Office of Civil Rights of HHS. Representatives of that office will conduct an investigation that will review your policies and procedures concerning risk assessment and risk management, determine whether the organization has conducted initial and ongoing training, and assess the likelihood and potential of unauthorized records access. Only by testing your EMR system and conducting a risk analysis can an organization determine its areas of vulnerability and the likelihood that a person or entity which should not have access to protected health information can access that information.
There are many different methods for conducting a risk assessment or threat analysis, and there is no single "best" method. Regardless of the method you employ, all risk analyses must include certain basic elements which are described below. Risk assessment is not a one-time event but a process of continuous reevaluation to ensure that you are prepared for and anticipating potential threats to the security of your EMR system and continue to have appropriate security measures in place. You should conduct an assessment when you acquire EMR, when you make any changes or additions in programs, technologies or business plans and update it at regular intervals and as you become aware of potential threats and vulnerabilities. Make sure to document every stage of the assessment. Your documentation should have three types of information: types of threats; situations in which they may occur and potential causes, likelihood and potential impact; and an assessment of the effectiveness of current security measures.
9 Basic elements of a risk assessment
Below are the nine basic elements of a risk assessment.
- Identify where the PHI is stored, received, maintained or transmitted. Review servers, networks, cloud systems. Review off-site as well as on-site areas of data collection. This data collection effort can be accomplished by reviewing past and/or existing projects; interviews; review of documentation; analysis of patterns and trends, looking for other indicators of existing and potential threats and other data gathering techniques. There is not a single approach to this process, so we recommend using a combination of methods. You might take a typical patient and see where and how their data is collected and maintained. If it is kept on site, who has access? Where is information stored? If it is stored off site, is it on a physical server or in a cloud? Who has access, and what are the policies of that organization? Document the data collection efforts.
- Identify and document potential threats and vulnerabilities. The provider or organization is responsible for identifying and documenting "reasonably anticipated threats" to the PHI. These include the various threats that are unique to the circumstances of the storage and collection environment. Gauge the threat level. Identify and document vulnerabilities which, if triggered or exploited by a threat, "would" or "could" create a risk of inappropriate access to or disclosure of e-PHI. For example, what if there is a flood, an earthquake or a theft? Would the data be vulnerable, accessible and how? Assess intentional as well as accidental access issues. Have you had any past incidents that could help you identify a security incident? Compile and document a list of potential threats.
- Assess current security measures. You must assess and document the security measures your organization uses to safeguard e-PHI, such as passwords, encryption, intrusion detection and firewalls. Determine if current security measures are configured and used properly (conduct tests; simply because you use a fire wall does not mean it is in place and working). What if a key person is out or has a medical issue, will the security measure go into effect? Look at human as well as technological issues.
- Determine the likelihood of threat occurrence. Once you have identified potential threats, you must take into account the likelihood that they will occur. Conduct tests, simulate a threat, and see if the security in place protects the data. The results of this assessment, combined with the initial list of threats from the steps above, will help determine which threats are "reasonably anticipated." Document all combinations of threats and vulnerabilities and estimate how likely each of the threats are. Look at location, types, situation and likely cause of threats. Identify patterns and trends. You may want to rank them as well.
- Determine the potential impact of threat occurrence. In addition to determining the likelihood of the treat, you need to determine potential impact of the threat. This analysis, called the "criticality" of the threat, reviews the potential impact if the threat were to take place. It might be likely but it might have little impact and could be addressed immediately, or it might be extremely unlikely but might have a huge potential impact. You can use a qualitative or quantitative method or a combination of the two methods to measure the impact of the threat or vulnerability on the organization. Document what would happen if the threat occurred. How would it affect access to, security of and confidentiality of the PHI?
- Assign a level of risk. Now that you know the potential threats, likelihood, impact and existing security measures, you need to assign risk levels for all threats and vulnerability identified. This can be done in a number of ways. The level of risk could be determined, for example, by analyzing the likelihood of threat occurrence and resulting impact of threat occurrence. The organization could assign a risk level based on the average of the assigned likelihood and impact levels and compare that to other potential risks. Document the risk levels assigned to each risk identified and develop a list of corrective actions to be performed to mitigate each risk level.
- Finalize your documentation. There is no specific format for the documentation of the risk assessment. However, it is essential that such documentation become a part of your risk management process.
- Periodic review and updates to the risk assessment. The risk analysis process should be ongoing. Risk assessments and security measures must be updated and documented on an ongoing time. Remember, proper management and security assessment is not a onetime even; it must be done in an ongoing continuous manner to reevaluate threats and security measures or it is not effective.
- Gap analysis report and remediation action plan. The next step in the process is what is known as remediation. The documentation developed in the risk assessment should be used to prepare a written gap analysis report. This report — as its title indicates —documents the "gaps" in security, the potential areas of vulnerability, including how likely they are to happen, the impact if they do happen and what can and will be done about them. The gap report should be reviewed and discussed by a risk management team. The team should analyze the findings and propose and develop recommendations for addressing the gaps. During the remediation process, the risk management team conducts a diligent process of repairing the deficiencies documented in the risk assessment.
The risk management team should then prepare a remediation action plan that ranks the threats and deficiencies in order of importance. List the most serious deficiencies and areas of high risk and address those first. As part of the same process, the risk management team should discuss, develop and implement a plan for an ongoing risk management process. The risk management process should include regularly scheduled reviews of remediation steps, periodic and regular re-assessments, documentation of incidents, responsibility for implementation and follow-up of remediation efforts, documentation of training, and other vital management items.
Getting expert advice
Regardless of who prepares your HIPAA policies and procedures, it is essential that you work with a specialist to advise you on risk assessment and risk management and help design, guide and implement the risk assessment and remediation process. Large healthccare systems have in-house specialists. Smaller providers would be well advised to ensure that they consult with someone who is well versed in HIPAA law and knows data security and IT hardware and software and can advise them on issues such as encryption, levels of security and access, ways to test whether outsiders can penetrate their system and methods for limiting internal access. Even a work force member who may have authorized access for one purpose should not be able to access data for another, unauthorized, purpose.
Here are some questions to ask when evaluating a consultant:
- What range of services does the consultant offer? If they only do IT security work, that's not enough; they need to be able to assess physical security and also administrative measures such as policies, training, documents, staff awareness, breach protocols and other issues.
- Can the consultant provide appropriate references? Ask for a short list of other healthcare providers with whom they have done work similar to what you need. Make sure to get names, email addresses, phone numbers and any other information that applies. Make certain to contact the references and ask about the quality of the work performed.
- Can they provide an example of one of their reports? Review the report to see that it is understandable, details gaps, risk levels associated with each and recommendations for remediation. Merely describing threats as low, medium or high means different things to different people and will not assist you in addressing potential threats and developing remediation plans.
- What other services does the consultant provide? Do they only do threat assessment analysis or can they or someone else in their company assist with remediation efforts? For example, do they only assist with staff training and policies and procedures or can they assist with IT strategy? If they simply conduct assessments and deliver reports without being available to deliver remediation assistance, they may not be the best contractor for you.
- Do they have legal resources as part of their services? Good compliance contractors work closely with, or have ready access to, highly qualified healthcare attorneys. This twofold approach is vital; having the backing and advice of competent legal counsel adds an extra dimension of expertise and up to date information.
- Are they thoroughly familiar with the advantages and disadvantages of "cloud" based solutions versus "on-site" solutions? There are positives and negatives to both, and many “cloud” based solutions are not properly designed to protect sensitive healthcare data.
One final issue to bear in mind is that if you want to apply for federal financial assistance for an EMR system, the provider or healthcare organization must attest that they have met the meaningful use criteria, including the risk assessment requirement. As always, be careful when making an attestation to the federal government. Providers and healthcare organizations are subject to serious civil and criminal fines and sanctions under federal law for making false claims to the federal government, including potential liability under the federal False Claims Act for presenting a false or fraudulent claim to the federal government. [3]
Well-run healthcare businesses recognize that managing EMR and PHI is much more than an IT project and requires the involvement of the entire workforce as well as the use of properly trained specialists. Workforce members must be properly trained and must comply with the organizations policies and procedures and with federal law and regulations. Consultants and specialists can be useful in recognizing gaps that in-house work force members may not recognize and coming up with potential solutions that are effective and efficient.
Carol Scott, Esq., is of counsel to the firm of Fenton Nelson LLP, a Los Angeles law firm that specializes in healthcare law and compliance. Ms. Scott is an expert in HIPAA and HITECH compliance and confidentiality of medical information and advises healthcare providers on all aspects of health care regulation and law. For more information, contact cscott@fentonnelson.com or call (310) 444-5244.
Mike Humason, is director of healthcare solutions at Micro Solutions (www.micro-sol.com), an IT consulting and infrastructure provider with a specialized focus in healthcare, including expertise in EHR systems, privacy and security matters (HIPAA and HITECH compliance), IT infrastructure, archival, encryption and disaster recovery. A highly expert team is available to conduct a wide range of audits, including for HIPAA/HITECH compliance, IT security, PCI, DEA and others, and to provide assistance in remediation efforts. For more information, contact at healthcare@micro-sol.com or call (805) 375-5650.
Footnotes:
[1] The Health Information Technology for Economic and Clinical Health Act provides HHS with the authority to establish programs to improve healthcare quality, safety and efficiency through the promotion of health information technology, including electronic health records and private and secure electronic health information exchange.
Under HITECH, eligible health care professionals and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to achieve specified objectives.
[2] 42 USC 1320d-5
[3] 31 U.S.C. §§ 3729 – 3733.
More Articles on Security Audits: