MU and Data Breaches Here, There, Everywhere

It seems like every other week the next big data breech happens, compromising the personal information of hundreds of thousands (if not millions) of Americans. It’s not just banks, insurance companies, federal agencies or retail stores that have been compromised. Data breaches across all industries and continents are rampant. But in healthcare, particularly, data breaches and unauthorized personal health information (PHI) disclosures are making headlines, making HIPAA compliance more critical than ever.

A breach can occur in many ways. Hackers, a lost or stolen laptop or family member snooping through patient records to see what health issues another family member might have been treated for. Many providers, especially those in smaller practices, are challenged with adhering to increased regulatory requirements while focusing on high quality patient care, not to mention their bottom line. And for a variety of reasons, providers may be unaware of their data security obligations and the risks to their patients and practice posed by PHI breeches.

Understanding the MU SRA Requirement

Under Meaningful Use and HIPAA, providers are required to perform and document a comprehensive Security Risk Analysis (SRA) annually. Compliance with the HIPAA Security Rule is central to securing electronic protected health information (ePHI). The rule states that any ePHI created, received, maintained or transmitted by a “Covered Entity” or “Business Associate” must be protected to prevent potential threats, hazards, impermissible uses, and disclosures. To receive MU dollars, a provider must “check the box” and attest to having completed a comprehensive SRA. Failure to do so results in forfeiture of incentive payments. On top of that, HIPAA audits compound the financial risk to the practice many times over.

What MU penalties?

Many healthcare providers are unclear on SRA requirements and even unaware that failure to complete an SRA could result in an MU audit failure. That means giving MU money back and subsequent MU payment adjustments, not to mention the risk of additional audits and fines. HIPAA One®, a leading provider of HIPAA SRA software and new NextGen Healthcare partner, enables practices to streamline compliance and easily produce a comprehensive SRA. Conducting their due diligence, HIPAA One called more than 4,000 providers nationwide, to determine if they had conducted an SRA. Surprisingly, we found that more than 50% had not started or completed an SRA, even though they were participating in MU. Some hoped to fly under the “random audit” radar, however, many had not considered the possibility of a breach or its consequences. Let’s face it, MU compliance hasn’t exactly been a cake walk. After such an enormous investment of time, effort and resources, failing an MU audit is hardly worth the risk. 

HIPAA Penalties―the bite is as bad as the bark

In addition to the MU requirement, the recent HIPAA Omnibus Law increases penalties in the event of a breach by medical practices that fail to adhere to the HIPAA Security Rule and face an ePHI-related security breach as a result, can be subject to significant regulatory fines, litigation, breach notification costs, unfavorable media attention and a damaged reputation.

More Audits. Really? Yes Really.

They mean business. Recently, HHS Office of Civil Rights (OCR) announced its intent to establish a permanent audit program and tighten enforcement. This translates into “more audits” and means additional risk to healthcare providers if they don’t meet their SRA obligations under MU and HIPAA.

A Simplified SRA Solution

NextGen Healthcare in partnership with HIPAA One is offering a comprehensive SRA solution that meets MU and HIPAA requirements while helping clients to protect patient health information and mitigate the risk to their organizations. The cloud-based HIPAA One tool incorporates role-based interviews that literally walk practices through the SRA process. Based on the specific needs of your practice, you can receive basic HIPAA One training or more comprehensive SRA services such as training and education to help you build a comprehensive HIPAA compliance program and reduce the risk to your practice and patients.

For more information about the NextGen Healthcare SRA solution, please contact your NextGen Healthcare representative.