IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.
Registration begins this week for the Medicare and Medicaid Electronic Health Records (EHR) incentive programs. With the programs contingent on “meaningful use” of certified EHR technology, the big question now is how to achieve meaningful use. According to a mid-november survey by the College of Health Information Management Executives (CHIME) released on December 9, 2010, this won’t be easy: “The vast majority of CIOs– 82 percent – report that they still continue to have concerns related to meeting meaningful use objectives and qualifying for stimulus funding.”
The Centers for Medicare & Medicaid Services (CMS) which administers the programs for the U.S. Department of Health & Human Services, will phase into meaningful use by defining 3 sets of criteria for achieving meaningful use over the next 5 years. The requirements for Stage 1 of meaningful use are defined by the CMS. While these vary for eligible professionals or eligible hospitals and critical access hospitals (CAHs), protecting electronic health information is a core objective that must be met to achieve EHR meaningful use for any entity.
CMS defines this core objective as follows:
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
A risk analysis is called out in 45 CFR 164.308 (a)(1)(A) as follows:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
HHS has provided some guidance on Risk Analysis which allows for some interpretation for compliance as noted in the following excerpts:
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement.
We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.
The upside of the latitude provided is that if the spirit and intent of the Risk Analysis is maintained as an objective, a healthcare entity can leverage practical and cost effective approaches to achieving HIPAA Security Rule compliance, meaningful use, as well as minimize the risk of a HITECH Act data breach notification.
Here are a couple of resources for effective approaches to addressing the Risk Analysis requirement for meaningful use:
- HIPAA Risk Analysis summary provides a fast-track approach to addressing the meaningful use Risk analysis requirement.
- Redspin Healthcare Information Security Assessment Services provides an overview of the HIPAA Security Rule and the key components that map to a Risk Analysis.
The diagram below adds some perspective to the Security Rule and Risk Analysis as it relates to HIPAA.