HIPAA Security Risk Assessment and Meaningful Use

HIPAA Security Rule

There’s lots to do and keep track of when your medical practice is preparing for Meaningful Use Attestation.  With that in mind, one of the Meaningful Use Criteria that I often see as being left to the last minute is the requirement to conduct or review a HIPAA security risk assessment.  This is one criterion that an EHR software vendor can’t help you meet since so much of it depends on things like physical set up and security.

When it comes to a HIPAA security risk assessment, what is the Meaningful Use requirement, exactly?

The security requirement is part of the Core Objectives of Meaningful Use.

  • The Objective is to protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
  • The Measure of the Objective is to conduct or review a security risk analysis per 45 CFR164.308 (a)(1) and implement security updates as necessary.  And to correct identified security deficiencies as part of its risk management process.

“Implementation” of HIPAA security rules.

One of the issues that’s coming up now relates to the “and implement” language in the Measure.  Does this mean that all identified security deficiencies must be addressed prior to attesting to meaningful use of certified EHR technology?  Or is it enough to have completed the assessment even if you’ve not implemented corrective actions.  Naturally, it is not 100% clear if this is the case, so what should you do?

At a minimum, you should implement recommendations that may represent critical risks to the safety of electronic health information.  Examples include such items as:

  • Lack of sufficient back-up of data;
  • Use of the same password by multiple staff members;
  • Lack of control over storage media or portable devices containing ePHI that are subject to loss or pilferage (this is one of the most frequent reasons for breaches);
  • Lack of appropriate security for on-site servers or other critical hardware.

Other issues such as testing and revision procedures may be on a list to be corrected after you attest to meaningful use, but they too need to be addressed in a reasonably timely manner.

Meaningful Use Attestation … “tell the truth”.

Why is this so important?  Attesting to meaningful use to obtain EHR incentive payments without actually meeting all the criteria could be considered a false claim to a government program – definitely something you don’t want to do.

So as you start your 90 day period of meaningful use for attestation purposes, don’t forget about this criterion – and don’t wait until the last minute to address it!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.