Since President Obama signed the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in February 2009, the relationship between and influence of the Act on HIPAA (Health Information Portability and Accountability) has drawn physician and practice manager attention to effective risk assessment.
American Health Lawyers Association Recommendation
This group recommends that practice professionals approach risk assessment regarding HIPAA and HITEC as a component of an Enterprise Risk Management (ERM) program. ERM, used by public and private corporations around the globe, is an ongoing decision-making program. In the healthcare industry, the board of directors or executive administrators typically design, install and use their plan to assess and reduce risk of all areas of patient care, compliance and to maximize the return on investment.
The Association reminds executives and administrators that Section 6401 of the Affordable Care Act requires that medical providers establish a compliance program as a condition of enrollment in the coming affordable healthcare legislation.
Risk Assessment Parameters
The core fundamentals of risk assessment programs, common to most businesses, regardless of industry, are familiar to many veteran executives. Components include the following items.
- Written policy and procedure manuals.
- Designating a Compliance Officer and/or Compliance Committee.
- Providing staff with thorough training and education.
- Disciplinary standards that are clearly defined.
- A workable monitoring and auditing program.
- Written response plan to mitigate losses.
Your risk assessment and compliance program should be as specific as you can make it. While it is impossible to address every possible eventuality, noting every potential risk you can identify in your policy and procedure manuals helps your staff manage their daily responsibilities more efficiently—with less risk.
Have the Compliance Officer or Committee monitor staff to be sure they follow the procedures your program mandates. Spend the time to write a plan to respond to increased risks your Compliance Officer discovers. This encourages fast action by your Compliance Officer or Committee to lower losses and quickly solve perceived risk issues.
The CMS (Centers for Medicare & Medicaid Services) Manual outlines the risk assessment compliance program guidelines, which emphasize the following issues.
- Prevention, detection and correction of non-compliance conditions.
- Identifying and reducing fraud, abuse and waste.
Evaluating Risk Involving HIPAA and the HITECH Act
Compliance program guidelines specify three assessments providers should conduct. These actions also fit ERM parameters and guidelines, along with being specified by the Code of Federal Regulations (C.F.R.).
- Security Evaluation. This is required under the Security Rule section and applies to providers, business associates or partners and subcontractors alike. All must “perform periodic technical and nontechnical evaluations . . .” when responding to environmental or operational changes affecting the security of electronic health information protected by law.
- Risk Assessment of Specific Items. This is required under Security Rule stated at 45 C.F.R. (Code of Federal Regulations), section 164.308(a)(a)(ii)(A). Highly technical, this requirement should be performed per NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.
- Risk of Harm Assessment. A requirement of the Breach Notification Rules, the practice must address “the implications and notification requirements” that are part of its ERM program.
The bottom line is that physicians must complete these three assessments and design an overall ERM plan that addresses as many risk issues as they can identify for their specific practices. It is vital that all medical providers create an organizational risk assessment program that encourages long-term compliance with HIPAA, the HITECH Act and all other regulations that apply.
Designing an ERM plan, as described, makes assessing potential practice risk of and avoiding HIPAA, HITECH Act and other regulation violations become normal operating procedure instead of compliance or loss practice crises.
Image courtesy of www.nysscpa.org