The 15th Core Objective for Eligible Providers and the 14th Core Objective for Eligible Hospitals clearly requires HIPAA Privacy and Security with the specific measure defined as:
"Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP, eligible hospital or CAHs risk management process."
Attesting without having done both the security risk analysis and requisite updates / corrections is Medicare Fraud! Anecdotal reviews show that many providers have attested without sufficiently completely this step.
Unfortunately, conducting a Security Risk Analysis is not easy; it cannot be done by a checklist alone (although there are many good checklists or guides - including ones provided by CO-REC, our Statewide Regional Extension Center, that we work with).
The steps require extensive internal analysis and reviews of policies and procedures as well as a review of physical, technical and administrative HIPAA Security controls. The HIPAA Security Rule has 42 items ("Standards or Implementation" specifications) that need to be addressed as part of the risk analysis process.
And once the analysis is done, you need to identify deficiencies and determine which one must be corrected prior to attestation.
The Center for Medicaid and Medicare Services will be auditing providers and hospitals after attestation. We encourage everyone reading this blog to consider your liability if you have not completed this key requirement.
The Colorado Rural Health Center is offering an affordable risk analysis service to its members in conjunction with PrivaPlan Associates, Inc. This service is unique in is understanding and experience with small and solo medical practices, rural providers, community funded safety net providers and small-community hospitals.
For more information on these services, click here.