Salud Family Health Centers, headquartered in Fort Lupton, Colo., is a federally qualified health center with clinics in nine towns and a mobile unit, with about 100 medical, behavioral health and dental providers. All clinics are medical homes and all eligible professionals have attested to Stage 1 for the electronic health records meaningful use program.
All of those meaningful users attested they’re compliant with the HIPAA privacy and security rules. That attestation could be put to the test if Salud is randomly selected to be audited for HIPAA compliance in a national program the Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch by late this year, following a 2012 pilot program.
The audit program is sending a chill down the spine of health I.T. leaders. Data security and privacy has become such a complex undertaking that many know holes exist, but can’t pinpoint where they are in their expanding data infrastructures. And the feds have proven, most recently with the Recovery Audit Contractors (RAC) program, that they’re willing to use a take-no-prisoners approach, especially when there’s money on the line (through the end of 2011, the program had recouped Medicare payments of $3.1 billion).
Under the HIPAA compliance audit program, an organization that has attested and later is audited and found not to be in “good faith compliance” with HIPAA could face penalties, including giving back the meaningful use incentive money.
Salud CIO Randy Kuehntopp is making sure that won’t happen, and not surprisingly has the full support from the CFO, who “really likes the meaningful use money,” he notes. Since coming to the organization in March 2011, Kuehntopp has been working to boost HIPAA compliance.
All data at the health center is encrypted; a privacy/security consulting firm has conducted an audit; e-mails are scanned for protected health information; computer access is logged; network security gaps have been filled; and policies and regulations are being updated and expanded.
The organization also plans to buy online HIPAA training courses to augment staff education and document that employees are annually taking and passing the privacy and security courses.
Kuehntopp came to Salud from the Colorado Blues plan, which not only has to comply with HIPAA rules, but with the Sarbanes-Oxley financial law and its security requirements that “scared the hell out of the plan,” he recalls.
With HIPAA now strengthened by new regulations and being more stringently enforced with the audit program, as well as major fines OCR has levied against a dozen provider organizations in recent years, CIO Kuehntopp believes others who haven’t gotten religion about security are getting wiser. And with the fines-now capped at $1.5 million annually and newly applicable to individuals-becoming a source of revenue for OCR, “people are now thinking, ‘Well, maybe we’d better be careful,’” he says. “It’s not just the company at risk, individuals also are liable.”
Chinese Community Health Care Association in San Francisco also is beefing up its information protection. The independent practice association in 2012 contracted with a security consulting firm to conduct Web-based mock HIPAA audits covering 29 physician practices. With the practices using electronic records remotely hosted and encrypted by vendor NextGen Health Information Systems with no data residing on computers, the IPA is filling in security gaps and soon will contract with an attorney to tackle perplexing legal issues that could arise.
The organization, which attested to Stage 1 EHR meaningful use last year, would be doing this work even if audits were not on the horizon, because it’s simply is the right thing to do, asserts Jonathan Everett, director of information technology at the independent practice association of Chinese Community. And it doesn’t hurt that the IPA’s three other leaders are into information technology, he adds.
A random HIPAA audit is not anything to be afraid of, Everett says. “Plan for the worse and hope for the best. Be prepared for it to happen, just like the Joint Commission coming through. As long as you can show what you are doing and there is nothing malicious, everyone’s reasonable.”
The day-long Privacy & Security Workshop on March 3 during the HIMSS13 Conference in New Orleans was a wealth of good information on preparing for a HIPAA audit, with all presentations available at himssconference.org.
Here’s a nice tip from presenter Mary Brandt, vice president of health information management at Scott & White in Temple, Texas: “Set your policies at a reasonable level, not a high level, because you will fail. But an auditor will hold you to your higher level. Set your policies at ‘reasonable’ and then make sure your people comply.”
At the workshop, Mark Dill, director of information security at Cleveland Clinic, walked through how to make a Book of Evidence in two weeks that holds all the documentation needed for an audit (see story, page 28). “We have a very simple toolbox, there’s nothing to it,” he says. Dill primarily used Microsoft SharePoint for the project. Covered entities can use a variety of other tools, some already present in information systems, to secure data and track and document compliance with HIPAA requirements.
What OCR wants
The HHS Office for Civil Rights, now reviewing the results of its pilot HIPAA compliance audit program, is planning not only a more streamlined audit process but an expanded pool of organizations audited in the permanent program as well, says OCR Director Leon Rodriguez.
The agency in the coming months will complete its assessment of the pilot, announce findings and put together the permanent program, with the hope of starting in fiscal year 2014, which begins on Oct. 1, 2013. Rodriguez says that the scope of the program is not final.
Consulting firm KPMG conducted the pilot audits and assessed compliance with 169 requirements under the HIPAA privacy, security and breach notification rules. Now, OCR is learning which gaps in protecting health information cause the most breaches. “We want to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk,” Rodriguez says. “We want to be focused on the things that really matter in terms of compromising patient confidentiality.”