NOTICE: This was developed based on documentation from the AMA, and HHS webiste. This is not legal advice.
The purpose of this guide is to provide you a high-level overview of the HIPAA requirements of MIPS, and an attempt to simplify a very complex concept. MIPS requires a HIPAA Security Risk Assessment (SRA) to be performed annually, the same requirement that HIPAA requires. Therefore, even if you were to forego the MIPS incentives and not participate, you are still expected to complete an SRA. To get a better understanding of what an SRA is, let's look at the HIPAA rules a a whole
Who Must Comply? Any physicians who conduct EDI transactions. These are simply, electronic claims to insurers and all related messaging (e.g. 837 and 835 files, or Claim / RA).
There are 3 Components to HIPAA:
- Privacy Rule
- Security Rule
- Breach Notification Rules
The Privacy Rule: Restricts the use of PHI for Covered Entities (CEs) and Business Associates (BAs). If you submit electronic claims or check eligibility electronically, you are required to comply with the Privacy Rule, even if you don't have an EHR.
- PHI is protected health information, which is individually identifiable information held or transmitted, on any medium.
- The Privacy Rule also extends patient's rights to access to their PHI, restrict disclosures, request amendments, or accounting of disclosures and their right to complain without retaliation.
The Security Rule: Requires covered practices to implement “administrative, technical, and physical safeguards” to ensure confidentiality, integrity, and availability of electronic PHI, also known as ePHI.
- ePHI is the same as PHI, but restricted to electronic formats, so paper or oral communications are not included.
- Requires periodic technical and non-technical evaluations.
- Must be updated when significant events happen, such as implementation of EHR/change of EHR, new BAs, new administrative personnel, or changes in government policy (e.g. The HIPAA Omnibus Rule of 2013).
The Breach Notification Rule: Requires covered physician practices to notify affected patients, HHS, and in some cases the media, when they discover a breach of a patient's unsecured PHI.
Simple Steps Toward Compliance:
- Designate a compliance official: They are responsible for HIPAA compliance including the privacy, security, and breach notification requirements.
- Review your current policies and procedures: Do they reflect your current practice, and current law?
- Evaluate how you handle patient requests: Is there a documented policy in place for: medical records access, disclosure restriction requests, amendment requests, accounting of disclosure requests, communication preference requests?
- Do you have a Notice of Privacy Practices - Do you provide it to patients, is it posted conspicuously in your office, is it available on your website?
- Do you require training of your staff to comply with HIPAA policies and procedures?
- Do you have the appropriate administrative, technical, and physical safeguards and do the cover all requirements of the Security Rule?
- Do you have a sanctions policy? Is it enforced and documented?
- Do you have BA Agreements with all vendors who have access to PHI?
- Is there a process in place to handle patient/staff complaints, are they taken seriously, and has there ever been retaliation for these complaints?
- Has all ePHI been encrypted at rest? If a breach were to occur, do you have policies on discovering and reporting the breach and mitigating the harm?
How HIPAA Rules Play Into MIPS
Now that you have a better understanding of the HIPAA Rules, let's talk about the Security Rule in particular, as that is the source of the MIPS Requirement.
Within the Security Rule, standards fall into one of two categories:
- Required: mandatory.
- Addressable: may be mandatory, but not optional. If the standard is inappropriate, you must instead adopt an alternate means of achieving the same end, or forego the standard altogether. But, cost alone doesn't satisfy declining a standard.
In order to review these requirements, a SRA must be performed periodically. The high level process of an SRA includes:
- Identify all places where PHI is stored electronically, these are your assests (think servers, workstations, imaging devices, cell phones, copiers, etc.)
- Assess the safeguards uses on these assets, and identify vulnerabilities, or ways for PHI on these assets to be used inappropriately (violating your NPP and thus violating HIPAA).
- Safeguards fall into 3 categories:
- Administrative: workforce training and contingency planning.
- Physical: access both to physical structures and its electronic equipment.
- Technical: the software, logins and access, auditing, backups, encryption of data at rest and in motion.
- Safeguards fall into 3 categories:
- Review each required standard across each category, and put a policy in place for each. For the addressable concerns, determine if it is appropriate or not, and document why.
- Retain documentation that each standard, both required and addressable, was:
- Reviewed and determined if it was a risk.
- Has a policy in place, and where that policy can be found.
- If it doesn't have a policy in place, who is responsible and when it will be put in place.
- If addressable, whether or not it is inappropriate and what will be done it its place.
- Retain this documentation for 6 years.
How will the government find out if I didn't do an SRA?
- A random (or non-random) audit of your MIPS submission
- A random (or non-random) audit of your past MU submissions
- A random audit of your entire HIPAA policies, under The HIPAA Audit Program
- A targeted compliance review due to a complaint or breach
The HIPAA Audit Program Started in 2001, revised in 2016, managed by OCR. HHS must audit CEs and BAs using a defined comprehensive audit protocol. To really ensure that you can answer all of these questions, reviewing the protocol is the most comprehensive way to ensure that you are fully covered, but it can be a daunting task.
- All CEs and BAs are subject to audit.
- If you receive a questionnaire, you must fill it out and return it to OCR. If you fail to return it, OCR will use publicly available information to abstract the questionnaire and you will still be eligible for the audit.
- Audits will either be “desk audits” or onsite. You will receive an e-mail stating a request of documents, and you are given 10 days to comply with the audit and provide documentation that is requested.
- An audit doesn't carry penalties, it is more of a informational program to determine what your issues are and it helps you identify it. However if serious compliance issues or breaches are found, they will be investigated, which could lead to significant penalties.
Beware of Significant Penalties
Penalties are assessed up to HHS discretion based on an audit. These penalties include (maximums are annual):
- Not knowingly violating HIPAA - $100 - $50,000 per violation, up to $1.5 MM ($0 if cured within 30 days).
- Knew or with reasonable diligence would have know of the violation, but without willful neglect - $1,000 - $50,000 per violation, up to $1.5 MM ($0 if cured within 30 days).
- Willful neglect, but cured within 30 days - $10,000 - $50,000 per violation, up to $1.5 MM.
- Willful neglect, and not cured within 30 day - $50,000 per violation, up to $1.5 MM
Criminal Penalties (administered by DOJ):can be against a practice, individual provider, of the officers of the organization. Other employees could receive similar penalties for “aiding and abetting”.
- Knowingly obtain or disclose information - Up to $50,000 and 1 year in prison.
- If committed under false pretenses, up to $100,000 and 5 years in prison.
- Intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm, up to $250,000 and 10 years in prison.
Other Penalties and Information:
- Exclusion from Medicare
- Individuals can not take legal action against a CE for a HIPAA violation based on HIPAA law (state laws may have this available)
Next Steps: What to Do to Comply for the Purposes of MIPS:
- Obtain a security document from your EHR to prepare for the SRA
- Gather your HR, Operations, and IT to review the questions in the SRA
- Perform an SRA, in one of many ways:
- Review your current SRA and update it to meet the latest requirements
- Hire your IT company to perform the SRA on your behalf (MarsdenAdvisors can recommend one to you)
- Use a free public tool like, the ONC Security Risk Assessment Tool
- Use a free tool created by a MarsdenAdvisors partner, like the OfficeSafe SRA Tool
- Make sure that the SRA or other documents:
- Address data encryption
- Document the implementation of security updates and correcting the identified security deficiencies
To Fully Comply with HIPAA:
- An SRA is a critical step to HIPAA compliance, but it is only covering the Security Rule. Use this as an opportunity to ensure that you are fully implementing the latest HIPAA and state requirements for Privacy and the Breach Notification Rules as well:
- Take a course on HIPAA, like this free one from AMA/HIMSS (takes less than 30 minutes)
- Setup recurring SRA checks and make sure you are following through on assigned activities
- Implement or update your policies for the other parts of the rules, such as the Privacy Rule and the Breach Notification Rule
- Document everything
- Consider bringing in professional help: There are companies and consultants that specialize in complete HIPAA coverage. MarsdenAdvisors has partnered with OfficeSafe, which is the same product that we use as a Business Associate to ensure that you and your patient's data is protected. OfficeSafe will assist with all 3 parts of HIPAA, and also includes $250,000 policy in coverage for breaches and penalties. Pricing varies by size of practice, take their free Risk Assessment to get started:OfficeSafe SRA Tool