Healthcare Perspectives


Are you meeting the HITECH Act’s requirements?

Jul 25, 2019
By: Rick Ensenbach

The government doesn’t like being defrauded. A recent case illustrates how careful hospitals need to be when submitting claims under the HITECH Act.

If you’re a healthcare organization, you probably know that you can receive incentive payments for implementing and using an electronic health record (EHR) system. But the HITECH Act requires your organization to have a formal risk management program in place to evaluate new and existing threats on an ongoing basis. This includes conducting an annual security risk assessment.  

A Kansas hospital is settling with the government for $250,000 after two whistleblowers revealed that it was falsely claiming year after year to have conducted the annual security risk assessment. The hospital had received at least $3 million in HITECH payments even though it hadn’t actually met requirements.

What is sufficient security?

In this case, it’s tough to say hospital administration didn’t know any better. But there can be big differences in healthcare organizations over what leadership thinks is sufficient security and what the security officer thinks is sufficient.

This can be due to a variety of reasons. The primary reasons are a lack of understanding of the importance of security or the sense that the organization is not big enough to be a target of bad actors. Security often has to fight for prioritization with competing budgetary and business requirements. And security might not get high prioritization because it is viewed as an insurance policy for an event or breach that, in some people’s minds, will never happen.

Because of internal reporting challenges, this is where hospitals can leverage third-party oversight from their board of directors or board of trustees to ensure they are taking the right precautions and complying with regulations. 

Education can also be very effective. Hospital leadership often do not know the difference between various assessments and analyses. For example, agap analysis and a risk analysis are two very different things.A gap analysis simply determines where an organization is with regulatory compliance and where it needs to be. So performing a gap analysis is not enough to qualify under the HITECH Act.

There is also a difference between a risk assessment and a risk analysis

An assessment is the evaluation or identification of risk, whereas a risk analysis is the detailed examination and measurement of risk. A risk assessment comes first because it’s used to identify risks. Then you follow it up with the risk analysis to determine the probability of that risk occurring and its potential impact. This helps determine what your organization needs to do and how much resources and money are needed to mitigate the risk to an acceptable level.

In the Kansas hospital’s case, the lawsuit alleged that one of the whistleblowers — the former CIO — conducted basic security tests and discovered that the hospital shared the same firewall as other county municipalities. This meant that anyone could access the hospital’s private patient records by logging into the hospital’s website through its IP address at local schools and libraries, without having to input a username or password.

What can healthcare organizations learn from this case?

The time has come to accept the fact that data is as valuable as money, sometimes even more so. Your hospital’s resources — your people, processes and technology — are meant to protect your data from unintentional or intentional disclosure or manipulation that could lead to a breach and even impact patient safety. Your patients are relying on you to protect their confidential information, and your organization is relying on you to ensure its future longevity.

 Think of it this way: If your money is sitting in a bank vault with the door wide open, and no one is watching who walks in and out of the vault, would you do business with that bank?

We have a lot of resources for healthcare organizations when it comes to security. From determining who’s in charge of information security, to increasing cybersecurity in healthcare, to preventing employees from selling confidential data, to learning how to transmit patient health information, you can rely on the healthcare risk advisory professionals at Wipfli to provide you with the information you need to protect your organization. Learn more about our healthcare services.


Director, Risk Advisory Services
View Profile
Healthcare Perspectives blog
Subscribe to Healthcare Perspectives