Identifying the scope for Meaningful Use security risk analysis starts with understanding the flow of your electronic Protected Health Information. According to HHS guidelines, the following personal information (18 identifiers), when combined with clinical data, becomes Protected Health Information (PHI), which is the scope of security risk analysis:
| Identifiers | Examples |
|---|---|
| Name | Max Bialystock |
| Address | 1355 Seasonal Lane (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code) |
| Dates related to an individual | Birth, death, admission, discharge |
| Telephone numbers | 212 555 1234, home, office, mobile etc., |
| Fax number | 212 555 1234 |
| Email address | LeonT@Hotmail.com, personal, official |
| Social Security number | 239-68-9807 |
| Medical record number | 189-88876 |
| Health plan beneficiary number | 123-ir-2222-98 |
| Account number | 333389 |
| Certificate/license number | 3908763 NY |
| Any vehicle or other device serial number | SZV4016 |
| Device identifiers or serial numbers | Unique Medical Devices/RFID |
| Web URL | www.rickymartin.com |
| Internet Protocol (IP) address numbers | 19.180.240.15 |
| Finger or voice prints | finger.jpg |
| Photographic images | mypicture.jpg |
| Any other characteristic that could uniquely identify the individual | Social media username, etc. |
It’s critical to understand the definition of PHI before you continue with any part of meaningful use security risk analysis. Keep in mind when PHI is de-identified using some of the techniques described here by HHS, it’s considered out-of-scope for risk analysis.
Though the primary focus of MU SRA is to include only the EHR system, we recommend including all key networking components and patient data management interfaces/applications as part of this exercise; it provides an opportunity to conduct end-to-end review and assessment of the gaps.
Identify and categorize all your practice processes, systems, and technology. We recommend a simple ePHI inventory template for meaningful use security risk analysis this exercise, which needs to be kept up-to-date based on changes to your technology infrastructure. In lot of practices, apart from the core EHR system, billing and scheduling systems are used for better efficiency. During your MU SRA, ensure you cover all interfaces you have developed to keep the data in sync between different systems, in terms of the risks exposed to ePHI.
Primarily, the following key systems are covered as part of MU SRA:
- EHR system
- Network (Routers, Wireless Access Points, Firewall, etc.)
- Desktops
- Mobile/laptop/tablets
- Interfaces
- Copiers/printers
- Patient Portal(If any)
To learn more about EHR 2.0’s toolkit for Meaningful Use Risk Analysis click on the link below:
Latest posts by EHR 2.0 (see all)
- Update on HIPAA Phase 2 Audits from HIPAA Conference 2017 - September 13, 2017
- Security Risk Analysis Requirements for Quality Payment Program (MACRA/MIPS) - August 18, 2017
- Improper faxing of sensitive patient data results in HIPAA penalties - May 23, 2017
