Close to 415,000 providers are participating in the popular CMS Medicare and Medicaid meaningful use incentive program. If your practice has not participated in the Medicare or Medicaid EHR Incentive Programs previously, please click on the link here to learn how you can receive federal incentives. If you’re already participating in the program, compliance with regulations will be a continual process. Several of the objectives are automatically taken care by using a certified EHR system. However, there are some objectives which require additional effort, including periodic security risk analysis of your EHR system containing electronic Protected Health Information (ePHI). In order to successfully complete and attest “Yes” to the meaningful use security risk assessment objectives, you need to understand the intent, scope, and requirements. The meaningful use security risk analysis objectives begin with a simple idea: assess the EHR and peripheral systems’ vulnerabilities of Protected Health Information (PHI). Ensuring a secured EHR system is critical to the overall security posture of your practice.
There are three primary steps involved in risk analysis:
- Evaluation and assessment to identify technology assets creating, storing, transmitting, and receiving PHI.
- Risk assessment to discover threats and vulnerabilities that pose risk to assets
- Risk mitigation to address risk by transferring, eliminating or recognizing it
Meeting the core objective #14 for eligible professionals and Meaningful Use Core Measure #13 for eligible hospitals is mandatory, and there’s no exception. While it is not necessary to hire a professional security organization to conduct risk analysis, healthcare data breaches are getting sophisticated and being reported on a daily basis on HHS website. Therefore, it is recommended to have a professional conduct a thorough security risk analysis that not only covers you from meaningful use audit perspective but also identifies risk factors which will otherwise be not discovered.
EHR 2.0 would like to remind practices to consider two primary objectives while completing the exercise:
Several providers that we have spoken to consider using a “CERTIFIED EHR” system as enough to meet the security risk analysis requirement. This is a common misunderstanding, as the security risk assessment focuses on implemented EHR system security in addition to with your network and other systems that are interacting with EHR’s functionalities.
No matter what approach you take to address this critical need, you need to conduct risk analysis to ensure you are complying with security risk analysis requirements of HIPAA to attest “Yes” to the program requirement.
As the demand and questions about security risk assessment for meaningful use is on the rise, EHR 2.0 consulting team has decided to publish meaningful use security risk analysis blog series to address our customer needs. Please visit us again to learn more about the following topics:
1) Scope of MU security risk analysis
3) Can I use a template?
4) Can I self-audit my EHR system?
5) Small practices approach
Listen to our on-demand webinar on security risk analysis:
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017