By: Valery Bond
Access controls, audit controls, integrity controls, and transmission methods of ePHI are protected through the HIPAA Security Rule and enforced by the HHS Office of Civil Rights (OCR). All health plans, providers and Business Associates are required to regularly check their security risks in relation to their administrative, physical and technical processes and systems. The Health IT component composes a very large part, roughly one third, of an effective Security Risk Assessment or SRA. Vulnerabilities and threats to IT programs and systems are likely to be overlooked unless the consultant/staff member conducting the SRA has the expertise to properly assess the Health IT component. Similarly, simply confirming that an organization is utilizing Certified EHR is insufficient and doesn’t account for exposure due to inadequate hardware, software, technical safeguards, and other technology access to ePHI.
Originally, Certified EHR Technology became Federally required by the Office of the National Coordinator for Health Information Technology (ONC) in relation to CMS’ Meaningful Use program. Private companies certified that their EHR met requirements using test data supplied by their vendor(s). Hospitals and professionals submitted self-reported information, but CMS did not conduct prepayment reviews, and the Office of the Inspector General (OIG) found that reports from these ‘Certified EHR’ programs’ information may in fact be inaccurate. Four recommendations were made by the OIG, one of which was that the ONC agreed that the certification process needs improvement for accurate reporting, include testing requirements for certification of EHR technology, and to develop better test procedures to reduce reliance on vendor-supplied testing information, reports and data.
Now, with MIPS the 2018 Performance Year requires participation in CEHRT, (Certified EHR Technology), including submitting two attestations, “Prevention of Information Blocking Attestation” and “ONC Direct Review Attestation.” With 25% of the total MIPS score based on Promoting Interoperability, among the many other measures, Health IT has become a major component for correct and appropriate reimbursement. Improved flexibility, interoperability; and, with a focus on measures to improve the electronic exchange of Private Health Information (PHI) between patients and their providers, CMS is to change the EHR Incentive Program to the Promoting Interoperability (PI) Program, formerly the Advancing Care Information (ACI).
Health IT analysis has become more important than ever and is clearly a major component of an effective Security Risk Assessment. Securing an organization’s ePHI promotes integrity, protects patients and is a legal requirement. Quality of care and patient trust can be comprised due to malicious criminal activity, a breach in systems, and a threat to a provider’s overall business. For confidence in documentation, clinical data registry reporting, e-prescribing, electronic case reporting and a host of all other electronic transmissions including email, the time is now for healthcare organizations to schedule and conduct a thorough Safety Risk Assessment encompassing all three components.