As one of its meaningful use-requirements, the CMS expects EPs to “conduct or review a security risk analysis” and “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” This process should not be something new for practices—it has been required since the final HIPAA Security rule was published in 2005.
As more EPs are being audited as part of meaningful use (with the CMS now instituting pre-payment audits along with its customary post payment reviews), failing to conduct and document an appropriate risk analysis is one of the reasons why an EP can fail an audit and be required to return the incentive payment.
The HIPAA Security Rule requires that practices focus on three main issues when it comes to protecting ePHI:
- Confidentiality—that ePHI is not made available or disclosed to unauthorized persons or processes;
- Integrity—that ePHI has not been altered or destroyed in an unauthorized manner; and
- Availability—that ePHI is accessible and useable upon demand by an authorized person.
While the HIPAA Security Rule includes a wide variety of both “required” and “addressable” mandates in the areas of administrative, physical and technical safeguards, it also recognizes that practices vary tremendously in terms of their technical sophistication and security capabilities. Thus, the rule is specifically designed to be “flexible and scalable” and permits the practice to determine how best to meet the individual requirements.
Our members have raised many questions about these requirements, and along with HIMSS, MGMA-ACMPE developed a privacy and security toolkit to help members navigate these requirements. The following are the key steps EPs must take to ensure successful completion of this meaningful-use requirement.