Talk to a Security Expert Now: (800) 721-9177

Does a HIPAA Security Risk Analysis cover Certification of EHR Technology?

To qualify for Meaningful Use an organization must use an approved EHR application.  The standards that EHR technology must meet to be approved for Meaningful Use are defined in 45 CFR 170.302.

We are often asked if our HIPAA Risk Analysis covers Certification of their EHR Technology to 45 CFR 170.302 (General certification criteria for Complete EHRs or EHR Modules).  The short answer is no.  That scope of work has already been completed.  Here is how the EHR Technology certification process works:

1. The standards that the EHR technology must meet are defined in 45 CFR 170.302.

2. The test procedures to evaluate conformance of EHR technology to the standards have been defined by NIST.

3. The EHR vendors contract with the testing organization to get tested/certified.  The testing of the application to verify that it meets the government standards must be conducted by a organization approved by ONC. Currently CCHIT and five other firms are approved to do the testing and certification of EHR technology.

What does this mean for you?  The good news is that if your organization is using an approved EHR application, the testing to approve that application for Meaningful Use has already been completed.  Your testing just needs to include your environment and the security of your implementation of the particular EHR technology.  Comparing your environment to the HIPAA standards is what is known as a HIPAA Risk Analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *