|What You Need to Do||How Redspin Can Help|
Meaningful Use Stage 1 Core Objective — Protect Electronic Health Information
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
|HIPAA Security Risk Analysis|
|HIPAA Security Rule — Administrative Safeguards (45 CFR 164.308(a)(8)) Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.||HIPAA Gap Analysis|
The healthcare IT landscape is changing fast. Through government sponsored incentive payments, the 2009 HITECH Act promotes the adoption and "meaningful use" of healthcare IT — in particular the migration to electronic health records (EHR) to enable greater access to and sharing of patient health information among providers, patients, payers and employees.
But along with easier access and information-sharing over data networks comes an increased risk of privacy breach, data theft or cyber-attack. These increased privacy and security concerns have already been reflected in several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. And "meaningful use" incentive payments (at least for Medicare incentives) are also directly tied to increased IT security. For example, before submitting a stage 1 meaningful use application, a provider must attest that they have performed a HIPAA Security Risk Analysis.
Registration for the EHR meaningful use incentive program began on January 3, 2011 and first payments will be received as early as May 2011. Final rules regarding breach notification, enforcement and modifications to the privacy and security provisions to HITECH and HIPAA will also be published in early 2011.
In summary, two things are clear. First, the healthcare industry's migration to EHR will enable providers to deliver better care more efficiently. And second, IT security will become a critical success factor in every health organization's future. Everyone stands to gain in this prodigious shift, but no one can afford to lose.