With the federal EHR incentive program kicking off, is your organization scrambling to achieve meaningful use criteria for your EHR systems? Given all the questions we’ve been hearing about how healthcare organizations can effectively address the meaningful use requirements, I thought I would share a practical approach to addressing the core objective: protect electronic health information.
In order to meet the requirements, its important to first understand the specific criteria defined by the CMS. As we noted previously, to meet the criteria to protect electronic health information, a healthcare organization must:
- perform a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and
- implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Good news, bad news; the bad news is that these two requirements in essence state that an entity must have both identified AND mitigated all of their security risk around ePHI / EHR – a herculean task for any organization. The good news is that the CMS leaves plenty of latitude in how to achieve these requirements. In fact, while they provide guidance in the form of references to the HIPAA Security Rule, they make clear their intent: to identify security risk to ePHI in terms of confidentiality, integrity and availability, and implement controls to mitigate risk. Fortunately, these are key ingredients of any successful information security program.
By focusing on the spirit and intent of the requirements and understanding that they really just define the most basic elements of widely accepted “best practice” information security process, healthcare entities can systematically achieve a number of objectives concurrently, including:
- meaningful use core objectives,
- HIPAA Security Rule compliance, and
- systematically reduce security risk – i.e. protect ePHI so you don’t land on the HHS HITECH Act Data Breach Notification website (per section 13402(e)(4) of the HITECH Act).
In fact, you can achieve these objectives cost-effectively if you focus on a systematic information security process. Here is what we recommend to meet both the intent and letter of the requirement. Focus on these core steps to achieve an effective HIPAA Risk Analysis:
- Gap Analysis: Analyze how your processes, policies and procedures measure up to the standards defined the Security Rule of the Administrative Provisions set forth in Title II of HIPAA. Specific tasks associated with benchmarking your organization to the Security Rule are documented here.
- IT Security Assessment: Provide a comprehensive analysis of your IT infrastructure and operating environment to determine how well your policy and technical controls are working and identify potential vulnerabilities which could put protected information at risk.
By focusing on key areas of risk and HIPAA Security Rule deficiencies, your organization can focus on the most important factors that achieve security and compliance with the “protect electronic health information” requirement. With diligent focus on the most important issues, many health IT teams should find compliance – still daunting perhaps – but achievable.