The Health Insurance Portability and Accountability Act (HIPAA) is the gold standard by which doctors, nurses, and healthcare institutions grade their privacy and security posture. It gives a list of “must do” security items. These are listed below. Partner in Regulatory Compliance (PIRC) has consultative services available for all of these needs required under the HIPAA Security Rule.
|Service||Required Within HIPAA Section||HIPAA Security Rule Language|
|Risk assessment||164.308(a)(1)(ii)(A)||Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.|
|External penetration testing||164.308(a)(1)(ii)(A)||Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.|
|Internal/external vulnerability assessment||164.308(a)(1)(ii)(B)||Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.|
|Security training||164.308(a)(5)(i)||Implement a security awareness and training program for all members of its workforce (including management).|
|Incident response plan||164.308(a)(6)(i)||Implement policies and procedures to address security incidents.|
|Acceptable Use Policy including Sanction Clause||164.308(a)(4)(ii)(B) & 164.308(a)(1)(ii)(C)||Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.|
In 1956, New York Welfare Commissioner Henry L. McCarthy said, “You have to spend money to save money.” This is true with MACRA. MACRA stands for Medicare Access and CHIP Reauthorization Act. It was signed by Barack Obama in 2015. It combined a few different Medicare programs into one called the Merit-based Incentive Payment System (MIPS).
MIPS is a federal program that allows the following group of Eligible Professionals (EPs) to get Medicare/Medicaid “payment bonuses” (and also penalties) based on quality, resource use, clinical practice improvements, and using certain certified electronic health record technology.
- Physician Assistants
- Certified Registered Nurse Anesthetists
- Nurse Practitioners
- Clinical Nurse Specialists
- Groups that include such professionals
To be eligible for these financial incentives, EPs must have a security risk assessment performed. PIRC has a long history of helping medical professionals find and reduce risk and therefore be in alignment with MIPS.
While Covered Entities always had to do risk assessments under the HIPAA Security Rule, there is now a financial incentive to avoid Medicaid / Medicare payment penalties. If you don’t have a security risk assessment performed, you will receive lower Medicare / Medicaid reimbursements, which directly affects your bottom-line growth.
The MIPS Performance Year begins on January 1 and ends on December 31 each year. Program participants must report data collected during one calendar year by March 31 of the following calendar year. For example, program participants who collected data in 2017 must report their data by March 31, 2018 to be eligible for a payment increase and to avoid a payment reduction in 2019.