Update on Meaningful Use Stage 2 Security Risk Analysis

EHR Incentive ProgramClose to 415,000 providers are participating in the popular CMS Medicare and Medicaid meaningful use incentive program. If your practice has not participated in the Medicare or Medicaid EHR Incentive Programs previously, please click on the link here  to learn how you can receive federal incentives. If you’re already participating in the program, compliance with regulations will be a continual process. Several of the objectives are automatically taken care by using a certified EHR system. However, there are some objectives which require additional effort, including periodic security risk analysis of your EHR system containing electronic Protected Health Information (ePHI).  In order to successfully complete and attest “Yes” to the meaningful use security risk assessment objectives, you need to understand the intent, scope, and requirements. The meaningful use security risk analysis objectives begin with a simple idea: assess the EHR and peripheral systems’ vulnerabilities of Protected Health Information (PHI). Ensuring a secured EHR system is critical to the overall security posture of your practice.

There are three primary steps involved in  risk analysis:

  • Evaluation and assessment to identify technology assets creating, storing, transmitting, and receiving PHI.
  • Risk assessment to discover threats and vulnerabilities that pose risk to assets
  • Risk mitigation to address risk by transferring, eliminating or recognizing it

Meeting the core objective #14 for eligible professionals and Meaningful Use Core Measure #13 for eligible hospitals is mandatory, and there’s no exception. While it is not necessary to hire a professional security organization to conduct risk analysis, healthcare data breaches are getting sophisticated and being reported on a daily basis on HHS website. Therefore, it is recommended to have a professional conduct a thorough security risk analysis that not only covers you from meaningful use audit perspective but also identifies risk factors which will otherwise be not discovered.
EHR 2.0 would like to remind practices to consider two primary objectives while completing the exercise:

 Compliance with CMS and other agencies’ (auditors) focused risk analysis to address the potential audit requirements 

 Securing and branding your practice from a business perspective by protecting patient health information

Several providers that we have spoken to consider using a “CERTIFIED EHR” system as enough to meet the security risk analysis requirement. This is a common misunderstanding, as the security risk assessment focuses on implemented EHR system security in addition to with your network and other systems that are interacting with EHR’s functionalities.

No matter what approach you take to address this critical need, you need to conduct risk analysis to ensure you are complying with security risk analysis requirements of HIPAA to attest “Yes” to the program requirement.

As the demand and questions about security risk assessment for meaningful use is on the rise,  EHR 2.0 consulting team has decided to  publish meaningful use security risk analysis blog series to address our customer needs. Please visit us again to learn more about the following topics:

1)      Scope of MU security risk analysis

2)      Do I need to address all risks?

3)      Can I use a template?

4)      Can I self-audit my EHR system?

5)      Small practices approach


Download Free FAQ on MU EHR Incentive Audit

Listen to our on-demand webinar on security risk analysis:

Webinar Register

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.