Providers participating in the Medicare and Medicaid Electronic Health Record ("EHR") incentive programs should be mindful that failure to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") may not only pose a risk of penalties and related expenses under HIPAA, but may also endanger "meaningful use" incentive payments.
Many providers are familiar with the HIPAA "Security Rule," but may not be as familiar with the requirement that covered entities, including health care providers, conduct a detailed risk analysis to evaluate potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information that they hold. Compliance with this risk analysis or risk assessment requirement, which has been in place since 2005, is essential to developing appropriate safeguards and complying with HIPAA.
What might be even more surprising to providers is that failure to conduct a HIPAA risk assessment may also endanger EHR meaningful use funds. When providers attest that they have achieved meaningful use, they attest that, among other things, they have conducted a HIPAA risk analysis (see, e.g., Measure #13 of the Stage 1 Meaningful Use Core Measures). If providers have not conducted a risk analysis, their meaningful use incentive payments are at risk. Both pre- and post-payment meaningful use audits are ongoing, and some commentators have suggested that such audits are occurring with greater frequency. Thus, providers that have not conducted HIPAA risk analyses face potential loss or recoupment of incentive payments.
False attestation also raises the potential for liability under the False Claims Act and/or state laws related to health care fraud. Furthermore, providers risk attracting scrutiny from the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services, the federal enforcer of HIPAA requirements. OCR has recently provided details of its "Phase 2" HIPAA compliance auditing program. This program will include audits of at least 100 health care providers focused primarily on Security Rule compliance, including risk analyses and risk management. As a result, failure to complete a risk analysis creates risk on multiple fronts. Health care providers should be mindful of the risk analysis requirement and take steps to comply with it if they have not already done so.