Modern Healthcare Mobile

Home | Current Issue | Newsmakers
Practice Makes Perfect: Meeting the security risk analysis requirement of meaningful use

By Robert Tennant
Posted: May 2, 2013 - 10:45 am ET

Last June, MGMA-ACMPE released the results of a questionnaire that ranked members' most pressing practice management challenges. In this edition of "Practice Makes Perfect," we'll tackle No. 5 on that list: Participating in CMS' EHR meaningful-use incentive program.

Many eligible professionals (EPs) seeking to attest for stage 1 of the CMS' meaningful-use EHR incentive program find that their biggest challenge lies with meeting the core measure related to protecting electronic protected health information (ePHI) maintained by their EHRs.

As one of its meaningful use-requirements, the CMS expects EPs to “conduct or review a security risk analysis” and “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” This process should not be something new for practices—it has been required since the final HIPAA Security rule was published in 2005.

As more EPs are being audited as part of meaningful use (with the CMS now instituting pre-payment audits along with its customary post payment reviews), failing to conduct and document an appropriate risk analysis is one of the reasons why an EP can fail an audit and be required to return the incentive payment.

The HIPAA Security Rule requires that practices focus on three main issues when it comes to protecting ePHI:

While the HIPAA Security Rule includes a wide variety of both “required” and “addressable” mandates in the areas of administrative, physical and technical safeguards, it also recognizes that practices vary tremendously in terms of their technical sophistication and security capabilities. Thus, the rule is specifically designed to be “flexible and scalable” and permits the practice to determine how best to meet the individual requirements.

Our members have raised many questions about these requirements, and along with HIMSS, MGMA-ACMPE developed a privacy and security toolkit to help members navigate these requirements. The following are the key steps EPs must take to ensure successful completion of this meaningful-use requirement.

Conduct a risk assessment and implement solutions

Conduct employee training and implement sanction policies

Perform periodic reviews and updates and conduct internal audits

It is important to remember the famous healthcare adage that “if it is not documented, it never happened.” Keep a written log of your risk assessment process, a complete list of practice policies and procedures, and all training provided to the staff. While daunting, this process of assessing threats and vulnerabilities and implementing the appropriate measures to secure your ePHI can be accomplished with support of your practice colleagues and identification of helpful resources.

Robert Tennant
Senior policy adviser
MGMA government affairs

| Home | Feedback |

© Modern Healthcare | All rights reserved | Privacy Statement | Terms of Use