Is Your Meaningful Use Risk Analysis Complete?
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
EHR System – The Tip of the Iceberg
Many times during a Meaningful Use Risk Analysis someone tells us that all of their electronic Protected Health Information (ePHI) is in their EHR system. In over 10 years we have never found this to be true, no matter how insistent the person is. They aren’t lying, because they truly believe what they are saying, but they aren’t telling the truth, and we prove it every time.
What is ePHI?
Protected data comes in many forms, and lives in a lot of out-of-the-way places easily missed in a Meaningful Use Risk Analysis. Any electronic file that contains a patient identifier, plus anything related to the patient’s past, current, or future medical treatment, diagnosis, or payment, is protected. The information can be in text, an image, or a voice file.
Where ePHI Hides
Common examples of ePHI missed in the Meaningful Use Risk Analysis include scanned images and faxes stored in computers, digital phone systems, and copier hard drives. You didn’t know your copier had a hard drive? Many do, and a NY health plan paid a $ 1.2 million HIPAA fine after they were caught returning copiers after a lease that still contained images of copied and scanned patient records. Photographs on SD cards and laptops, ultrasounds, CT scans, MRI’s, and dental x-rays are all protected files and need to be secured, backed up, and retained.
Voice files also can contain protected information but are not mentioned in a Meaningful Use Risk Analysis. A patient’s message on a digital phone system, or an answering system that transfers callers to e-mail or cell phones, is probably protected. If the message is identifiable and asks about a diagnosis or treatment, including something as simple as a prescription refill, the message is as protected as any data in an EHR system. Voice files can also lurk in the shadows on dictation systems and portable recorders.
Old Data is Just as Protected as Current Data
A Meaningful Use Risk Analysis often misses older EHR systems that may have been part of a practice that was bought up by a larger organization, or if the practice has replaced its original EHR system. An older system sitting in the corner and only used occasionally to access patient records need to be managed as if it was the active EHR system. The user list must be kept current, the data needs to be secured and backed up, and access logs must be retained.
Structured and Unstructured Data
Most people only think about the ePHI in their Structured EHR system, which has fields for data entry. Their Meaningful Use Risk Analysis ignores their Unstructured data, often in the form of documents like insurance appeals and letters to employers; e-mails and attachments; spreadsheets and other reports containing ePHI.
Data in Far Away Places
Today’s technology makes it easy to store data in remote locations. Online backup providers, cloud-based systems, online tools that synchronize and share files, all can contain ePHI and are often missed in a Meaningful Use Risk Analysis. Don’t forget what is stored on the computers at your answering service or hard drives belonging to your IT provider.
Meaningful Use Risk Analysis Goes Beyond Your EHR System
The Electronic Health Records Incentive Program requires your Meaningful Use Risk Analysis to “Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”
All of this data is protected, and must be retained for at least six years to comply with federal and state regulations. This is hard to do compared to EHR systems because those systems are built for compliance from the ground up.
Do It Yourself?
You need to find all of the ePHI on each of your devices, consolidate it so it is better secured and backed up, and create a risk management plan to reduce the impact of threats. Can most medical practices do this themselves? Probably not, unless you understand IT security tools and the regulations protecting ePHI. As the government says in its guidance about the Meaningful Use Risk Analysis, “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Time in this year’s reporting period is rapidly running out. Contact 4Medapproved today to get a professional Meaningful Use Risk Analysis that will stand up to a compliance review. We don’t want to help you just get your money. We want to help you keep your money if you are audited.
This article was originally published on 4Medapproved and is republished here with permission.