Practice Makes Perfect: Meeting the security risk analysis requirement of meaningful use

Last June, MGMA-ACMPE released the results of a questionnaire that ranked members' most pressing practice management challenges. In this edition of "Practice Makes Perfect," we'll tackle No. 5 on that list: Participating in CMS' EHR meaningful-use incentive program.

Many eligible professionals (EPs) seeking to attest for stage 1 of the CMS' meaningful-use EHR incentive program find that their biggest challenge lies with meeting the core measure related to protecting electronic protected health information (ePHI) maintained by their EHRs.

As one of its meaningful use-requirements, the CMS expects EPs to “conduct or review a security risk analysis” and “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” This process should not be something new for practices—it has been required since the final HIPAA Security rule was published in 2005.

As more EPs are being audited as part of meaningful use (with the CMS now instituting pre-payment audits along with its customary post payment reviews), failing to conduct and document an appropriate risk analysis is one of the reasons why an EP can fail an audit and be required to return the incentive payment.

The HIPAA Security Rule requires that practices focus on three main issues when it comes to protecting ePHI:

• Confidentiality—that ePHI is not made available or disclosed to unauthorized persons or processes;
• Integrity—that ePHI has not been altered or destroyed in an unauthorized manner; and
• Availability—that ePHI is accessible and useable upon demand by an authorized person.

While the HIPAA Security Rule includes a wide variety of both “required” and “addressable” mandates in the areas of administrative, physical and technical safeguards, it also recognizes that practices vary tremendously in terms of their technical sophistication and security capabilities. Thus, the rule is specifically designed to be “flexible and scalable” and permits the practice to determine how best to meet the individual requirements.

Our members have raised many questions about these requirements, and along with HIMSS, MGMA-ACMPE developed a privacy and security toolkit to help members navigate these requirements. The following are the key steps EPs must take to ensure successful completion of this meaningful-use requirement.

• Create an internal assessment team that includes the practice administrator and representatives from the information technology and clinical staffs.
• Identify the scope of the risk assessment. Most critical will be the identification of areas of the practice that store, use and transmit ePHI.
• Identify and document potential security threats and vulnerabilities to ePHI. In this step, the team will look at administrative issues such as staff password management, physical safeguards such as ePHI disposal and technical safeguards such as unique user identification.
• Assess and document the current security measures in place in the practice and how they address each of the threats and vulnerabilities.
• Identify, implement and document those security measures necessary to address any threats or vulnerabilities not already covered by current practice policies or procedures. This is especially important for practices that have adopted an EHR after developing their current security policies and procedures.
• Explore the encryption option for all practice ePHI, with special attention to that ePHI that is contained on mobile devices. Note that encryption is specifically highlighted in the meaningful use stage 2 requirements.

• Training practice clinical and administrative staff (including volunteers) is a critical step in the implementation of security policies and procedures. There is no stipulation for how employees and volunteers must be trained, so it will be up to the practice to determine the best approach.
• An employee sanction policy is required, and practices should include a discussion of these policies as part of staff training.

• Implementing your security policies and procedures is an ongoing process. Even with all security protocols in place, it is important to identify any new potential threats or vulnerabilities (i.e., reviewing your data backup system in light of an impending weather event), document how each will be countered, and train the appropriate staff. The acquisition of new technology or processes (i.e. partnering with a local health information exchange) will also require updating your risk assessment and mitigation processes.
• It is also recommended that the practice conduct internal “audits” on a regular basis. As examples, are appropriate security measures in place when clinical staff takes a laptop out of the facility? Are passwords being changed by staff on a regular basis, and not writing them on a post-it note and attaching it to the monitor?

It is important to remember the famous healthcare adage that “if it is not documented, it never happened.” Keep a written log of your risk assessment process, a complete list of practice policies and procedures, and all training provided to the staff.

While daunting, this process of assessing threats and vulnerabilities and implementing the appropriate measures to secure your ePHI can be accomplished with support of your practice colleagues and identification of helpful resources.

Robert Tennant