10 Myths of a Meaningful Use Security Risk Analysis
The Centers for Medicare & Medicaid Services recently released a tip sheet for eligible professionals on 10 myths associated with conducting a HIPAA security rule risk analysis to ensure the privacy and security of their patients' protected health information, which is a requirement in the EHR meaningful use program. Here are the facts.
FACT: All providers who are covered entities under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
FACT: Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
FACT: Your EHR vendor may be able to provide information, assistance and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA privacy and security rules. It is solely your responsibility to have a complete risk analysis conducted.
FACT: It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
FACT: Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
FACT: A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
FACT: Review all electronic devices that store, capture or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice managerís mobile phone). Remember that copiers also store data. See U.S. Department of Health and Human Services guidance on remote use.
FACT: To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
FACT: The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
FACT: Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EPís year of participation in the program.
10 Tips for Successful Implementation of a Patient Portal
Chronic Care8 Ways to Take Advantage of the ICD-10 Delay
AMA Gives 9 Reasons for Caution on Using Medicare Physician Data
10 More Big Data Companies You Might Not Know
Chronic Care10 Big Data Companies You Might Not Know
Health Info Exchange10 Key Dates in Obamacare
6 Tips for Deciding When to Replace Your RIS/PACs
10 Top Drugs Now or Soon With Generic Equivalents