Any provider attesting to receive an EHR incentive payment for Medicare/Medicaid program need to complete risk analysis and potentially can be subject to an audit.
Benefits
The primary goal of the security risk analysis for meaningful use is to identify the key technical vulnerabilities in the electronic Protected Health Information (ePHI) and EHR systems environment. EHR 2.0 risk analysis services ensures you identify the key technical risks in these areas and develop a program to mitigate the risks identified. Attestation of the risk analysis is required every year to receive Center for Medicaid and Medicare Services(CMS) incentive payments.
Why now?
The final rule for ARRA/HITECH Meaningful Use(MU) incentives, stage 1 and stage 2, states to conduct or review a security risk analysis, per 45 CFR 164.308(a)(1), implement updates as necessary, and correct identified security deficiencies as part of the eligible professionals, eligible hospitals, or critical access hospitals’ core objective measures.
Our consulting team at EHR 2.0 takes a systematic approach in meeting this requirement. Our decades of experience in successfully conducting technical risk analysis drawing guidance from various authoritative sources, and our best practices based online toolkit platform helps not only meet the core objective requirements but also secure your practice. Risk analysis is the first step in healthcare practice’s HIPAA security rule compliance efforts as well. Risk analysis is an ongoing process to provide the practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI. The key questions asked during a risk analysis are:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?
Our approach:
- Defining the scope of the risk analysis
- Inventorying ePHI systems
- Identifying and documenting potential threats and vulnerabilities
- Assessing current security measures
- Determining the likelihood of threat occurrence
- Determining the level of risk
- Prioritizing implementation
- Documentation of our findings and risk management program
Sample Meaningful User Risk Assessment Template
Self Assessment RA Toolkit
- ePHI Inventory Template
- Risk Assessment Worksheet
- Risk Prioritization Template
Risk Analysis Consulting Service
- Security Risk Analysis Consulting
- Prioritization and Mitigation of Risks
- Successful MU Attestation
Explore our other services:
HIPAA/HITECH Compliance Assurance 
OCR Audit Advisory Services
Business Associate Assurance 
Education and Training
Encryption of Patient Data
Frequently Asked Questions on Meaningful Use Risk Analysis
▶ MU measure 15 security risk assessment – does CMS require remediation in same attestation period?
It is good to show atleast few of the remediation action taken during the attestation process. Though not a requirement for MU attestion, OCR/HHS audit will fine the covered entities if they have not taken any measure to fulfill the gap.
▶ If I comply with meaningful use requirements, Am I HIPAA/HITECH compliant?
No. Meaningful use requirement are federal intiatives to adopt EHR systems and the incentive program applies to the covered entities that accepts Medicaid and Medicare patients. You can get more information on that at
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html
HIPAA/HITECH requirements apply to all the healthcare providers and their Business Associates.You can get more information at http://www.hhs.gov/ocr/
▶ Do you have to have the meaningful use security risk assessment completed before starting the 90 day attestation period?
It is a BEST PRACTICE to get the security risk assessment done before your attestation period. You can provide the evidence of mitigating any risks identified in the assessment during the 90 days attestation period.
▶ What is the exact requirement related to privacy and security of stage 1 of Meaningful Use?
Core objective # 15: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Under the HIPAA Security Rule, you are required to implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308).
▶ What is the scope of this security risk analysis?
The scope of risk analysis that the HIPAA security rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.
▶ Is the security risk analysis is optional for small providers?
No. All providers who are “covered entities” under HIPAA are required to perform a
risk analysis. In addition, all providers who want to receive EHR incentive payments must
conduct a risk analysis.
▶ Only designated security and privacy officer can conduct risk analysis?
No. Your security officer should be able to work effectively with others to safeguard patient information. At various times, the officer will need to coordinate with your privacy officer (if a different person), practice manager, IT administrator or consultant, and your EHR vendor.
▶ Is simply installing a certified EHR fulfills the security risk analysis MU requirement?
No. Even with a certified EHR, you must perform a full security risk analysis. Security
requirements address all electronic protected health information you maintain, not just what
is in your EHR.
Certification does not guarantee performance or reliability of these security functions.
• The security functions may be “off” or the settings could be at a suboptimal level, either of which can create vulnerabilities.
• You and your staff should become familiar with the security settings in your EHR. Most of these are accessible to whoever has administrator privileges. Learning how to configure these settings, for example, will help when staff leave or join your practice. While nationally accepted standards on these configurations have not yet been developed, there are industry best practices. Your health information organization that facilitates electronic exchanges may have specific requirements.
• Your risk analysis should specifically examine the adequacy of your EHR security safeguards as it transmits, stores, and allows modifications to protected health information.
Certification does not guarantee performance or reliability of these security functions.
• The security functions may be “off” or the settings could be at a suboptimal level, either of which can create vulnerabilities.
• You and your staff should become familiar with the security settings in your EHR. Most of these are accessible to whoever has administrator privileges. Learning how to configure these settings, for example, will help when staff leave or join your practice. While nationally accepted standards on these configurations have not yet been developed, there are industry best practices. Your health information organization that facilitates electronic exchanges may have specific requirements.
• Your risk analysis should specifically examine the adequacy of your EHR security safeguards as it transmits, stores, and allows modifications to protected health information.
▶ Do I have to outsource the security risk analysis?
No. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
▶ Why do you need to select qualified professional to conduct security risk analysis?
Your security risk analysis must be done well, or you will lack the information necessary to effectively protect patient information. Note that doing the analysis in-house may require an upfront investment developing a staff member’s knowledge of HIPAA and electronic information security issues. Use this opportunity to have your staff learn as much as possible about health information security.
You however, can conduct the risk analysis yourself. Just as you contract with professionals for accounting, taxes, and legal counsel, so, too, outsourcing the security risk analysis function can make sense. If you need to, outsource this to a professional, a qualified professional’s expertise and focused attention will yield quicker and more reliable results than if your staff does it piecemeal over several months. The professional will suggest cost-effective ways to mitigate risks so you do not have to do the research yourself and evaluate options.
▶ Can I just use a checklist as a security risk analysis?
It depends. Have your security officer or security risk professional performing the risk analysis use a checklist to get a preliminary sense of potential shortcomings in how your practice protects
patient information. A single checklist does not fulfill the security risk analysis requirement, but the checklist will help everyone get ready for needed improvements.
▶ Do I need to document risk analysis in a particular format?
No. Document Your Process, Findings, and Actions in whatever format you could as long it’s efficient. Your report should consists of
• Completed checklists
• Security risk analysis report
• Risk management action plan
• Completed checklists
• Security risk analysis report
• Risk management action plan
▶ A simple checklist will suffice for the risk analysis requirement?
No. Checklists can be useful tools, especially when starting a risk analysis, but they fall short
of performing a systematic security risk analysis or documenting that one has been performed.
▶ Is there is a specific risk analysis method that I must follow?
No. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk
Analysis Requirements of the Security Rule. This guidance assists organizations in identifying
and implementing the most effective and appropriate safeguards to secure e-PHI.
▶ Is my security risk analysis scope is only my EHR?
No. Review all electronic devices that store, capture, or modify electronic protected health
information. Include your EHR hardware and software and devices that can access your EHR
data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that
copiers also store data. Please see U.S. Department of Health and Human Services (HHS)
guidance on remote use.
▶ Do I only need to do a risk analysis once?
No. To comply with HIPAA and MU incentive program, you must continue to review, correct or modify, and update security protections at least every year.
▶ Is there any difference between the requirement of Core Measure 15 and existing HIPAA regulations that providers and practices should have been compliant over the next few years?
No. CMS has stated that they’re not using the meaningful use criteria to introduce any new security requirements. So, this should be nothing new to anyone. Performing a security risk analysis is required by the HIPAA Security Rule, as is “Apply security updates as needed” – both of those are administrative safeguards in the Security Rule. The requirement to remediate any problems means that if you do find some problems, you can’t ignore them and have to do something about them.
▶ Do I need to fully mitigate all risks before I attest for an EHR incentive program?
No. The EHR incentive program does not require the healthcare organization to “completely” correcting all the deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
▶ Do I need completely redo my security risk analysis every year?
No. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.
▶ Do I need to do security risk analysis for only for Office-Based(hosted) EHRs?
No. Both office-based (locally-hosted) and Internet-hosted (remotely-hosted) EHRs have features that enable your practice to better control access to and use of protected health information than was available with paper medical records. On the other hand, both EHR types also introduce new risks to your patients’ information.
The mix of security risks relates, in part, to your EHR type.
▶ Why is my EHR vendor not taking care of everything I need to do about privacy and security?
Your EHR vendor may be able to provide information, assistance, and training on the
privacy and security aspects of the EHR product. However, EHR vendors are not responsible
for making your practice compliant with HIPAA Privacy and Security Rules. It is solely your
responsibility to have a complete risk analysis conducted.
▶ Do I need to do security risk analysis for only for Office-Based(hosted) EHRs?
No. Both office-based (locally-hosted) and Internet-hosted (remotely-hosted) EHRs have features that enable your practice to better control access to and use of protected health information than was available with paper medical records. On the other hand, both EHR types also introduce new risks to your patients’ information.
The mix of security risks relates, in part, to your EHR type.
The table on the next page offers a few examples of different risks associated with office-based vs. Internet hosted EHRs.
▶ What do I do after completing the risk analysis?
Develop an action plan using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan should have five components: administrative, physical, and technical safeguards; policies and procedures; and organizational standards. Often, basic security measures like security awareness training and encryption can be highly effective and affordable.
▶ How does it benefit my practice?
Ensuring privacy and security of electronic health information is a key component to building the trust with the patients, other providers and other business partners. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to individually identifiable health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences. In addition, protecting ePHI is a federal mandate.
▶ If I complete security risk analysis am I compliant with HIPAA/HITECH?
Security risk analysis is only a part of HIPAA/HITECH security rule requirements. There are other security rule requirements that need to be completed as part of HIPAA/HITECH compliance.
▶ Am I going to be audited if I have performed thorough security risk analysis as part of meaningful use incentive payments?
Yes, CMS (Center for Medicare and Medicaid Services) conducts routine audit of eligible professionals and hospitals that have got incentive payment to ensure meaningful use core objectives are being met.
▶ How long would it take to complete the risk analysis?
It depends. For a small provider depending on the complexity of the install it should take anywhere from 4 to 8 hours. For a medium to large provider, we need to understand the technology architecture before providing a proposal.
Contact us at info@ehr20.com
Contact us at info@ehr20.com
▶ What is a security risk analysis?
To make a simplistic medical analogy, a security risk analysis is the examination and testing you do to assess clinical risk and diagnose a condition. Just as you use a diagnosis and other clinical data to plan treatment, you will use the risk analysis to create an action plan to make your practice better at protecting patient information. Further, privacy and security are like chronic diseases that require treatment, ongoing monitoring and evaluation, and periodic adjustment.
A security risk analysis is a systematic and ongoing process of both:
• Identifying and examining potential threats and vulnerabilities to protected health information in your medical practice.
• Implementing changes to make patient health information more secure than at present, then monitoring results (i.e., risk management).
A security risk analysis is a systematic and ongoing process of both:
• Identifying and examining potential threats and vulnerabilities to protected health information in your medical practice.
• Implementing changes to make patient health information more secure than at present, then monitoring results (i.e., risk management).
▶ Who needs to conduct meaningful use security risk analysis?
An eligible professional must meaningfully use certified EHR technology for an EHR reporting period, and then attest to CMS that he or she has met meaningful use for that period.
How can we help? – Call 802-HIT-CALL (802-448-2255) or e-mail us at info@ehr20.com
