One of the 14 Meaningful Use Core Set objectives is to:
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities
The Stage 1 measure is:
Conduct or review a security risk analysis per [HIPAA] and
Implement security updates as necessary and correct identified security deficiencies as part of its risk management process
The requirement for a security risk analysis may sound vague and unclear, but those who specialize in information security regard risk assessment as an essential step to improving an organization’s security program. This article will explain what must be done to meet this Meaningful Use requirement.
In order to attest to this Stage 1 requirement, both the assessment and the correction of identified security deficiencies must be completed by the end of your first EHR reporting period. The work can be completed prior to the beginning of the EHR reporting period. The scope of the assessment must be (at least) your certified EHR technology.
The HIPAA requirement referenced in the Stage 1 measure says:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
A risk analysis or risk assessment is a systematic process to analyze, identify and evaluate security vulnerabilities and the level of risk associated with each vulnerability. A risk management plan is developed to reduce (mitigate) unacceptable risks to an acceptable level. The risk analysis and risk management plan should be presented to leadership for decisions concerning appropriate response and for incorporation of needed activities into organizational plans. Some risks may be addressed through system configuration changes, patches or software upgrades. Others may require new policies to be developed and workforce training. Some will require the purchase and implementation of new technology and will have a budgetary impact. Yet others may require process changes and some may impact staffing levels. These are just a few examples of steps that may be necessary.
HIPAA emphasizes that a risk analysis is to be thorough. It should look at risks to confidentiality, integrity and availability of information. It is not just an assessment of what happens in the IT department but analyzes security risks in every department that uses or discloses electronic patient information.
“A risk analysis or risk assessment is foundational to developing a security program that provides the necessary protection for patient privacy. That is why HIPAA and the EHR incentive program require it.”
Jeff Bell, CISSP, CPHIMS, ACHE
Director of Client Services