10 HIPAA Myths Busted by ONC

The Office of the National Coordinator for Health Information Technology (ONC) has many roles, although one of the most important is advising healthcare organizations on how data privacy and security legislation and the best practices that should be adopted to comply with regulations and keep patient and other sensitive data secure.

At the HIMSS Privacy and Security Forum last month, Chief Privacy Officer of the ONC, Joy Pritts, spoke about the efforts the ONC have made to assist healthcare organizations achieve compliance and how they have adapted to make it easier to comply. Pritts said, “We were drafting materials that were meant for IT professionals and learned within a year that the content was too technical. We realized that we had to draft materials in plain language that could be distributed in small offices.”

The feedback the ONC has gained over recent months suggests that many smaller healthcare organizations are struggling with HIPAA compliance. The problem has been compounded by the number of myths and incorrect assumptions that are circulating within the healthcare industry. There is some confusion about the new regulations laid down in the HIPAA Omnibus Rule and in an effort to tackle this, the ONC has recently published the Top 10 Myths of Security Risk Analysis to help separate fact from fiction. The ONC hopes that the clarification will help smaller healthcare organizations comply with current legislation.

Top 10 Myths of Security Risk Analysis

    1. Smaller providers are not required to perform a security risk analysis

All HIPAA-covered entities are required to conduct a comprehensive security risk analysis. No organization is exempt. It is also a requirement before any EHR incentive payments can be issued.

  1. A certified EHR fulfils Meaningful Use security risk analysis requirements

A comprehensive security risk analysis must still be conducted even with a certified EHR. This is a requirement for any ePHI that is maintained, not just the data that the EHR contains.

  1. EHR vendors take care of all data privacy and security requirements

It is the responsibility of the HIPAA –covered entity to ensure that any EHR vendor is fully compliant with HIPAA Privacy and Security Rules. Information about EHR products may be provided and full assistance given, although a security risk analysis must be conducted by the covered entity.

  1. A security risk analysis must be conducted by an outside agency

Small healthcare organizations are not obliged to outsource a security risk analysis and a number of self-help tools are available to allow organizations to complete this internally. However, while it is not mandatory to outsource, the security risk analysis requires expert knowledge to be conducted. Failures in the analysis are likely to be unearthed in an OCR compliance review and external professional help can be invaluable to prevent violations.

  1. A checklist is sufficient to comply with security risk analysis requirements

A security risk analysis checklist can be useful but a checklist alone is insufficient as evidence that a comprehensive security risk analysis has been performed. Without further information of a systematic security risk analysis having been conducted an organization will not be fully compliant with Privacy and Security Rules.

  1. A strict method must be followed when performing a security risk analysis

Healthcare organizations are given some flexibility in how Privacy and Security Rules are implemented and the Office for Civil rights provides Guidance on Risk Analysis Requirements of the Security Rule via its website. There is no single solution for all entities covered by HIPAA, and the most appropriate safeguards should be used to ensure electronic health records are protected.

  1. Security risk analyses are only required to look at electronic health records

Electronic health records must be assessed but it is important to assess the entire IT infrastructure as many software programs, Apps, devices and hardware may have some contact with EHR. Some devices even store some records; digital photocopiers for example, and must therefore be included as must any remote access.

  1. Once a risk analysis has been conducted an organization is compliant

A risk analysis is not a onetime procedure to follow to ensure compliance with HIPAA regulations. Compliance requires an ongoing review of policies and procedures and they must be updated frequently to comply with changes to legislation and new security risks and threats.

  1. Before attesting for an EHR incentive program all risks must be fully mitigated

The EHR incentive program does not demand that all risks are mitigated, only that as part of the risk management process any deficiencies are corrected during the reporting period.

  1. A security risk analysis must be conducted in full, every year

A full security risk analysis is not required every year, although it should be conducted when an EHR is adopted and when there is a change to IT infrastructure or electronic systems. Reviews are required as part of Meaningful Use Programs and these need to be conducted for each reporting period. The reporting period for EPs is either 90 days or a full calendar year, depending on when the program was joined.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.