Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money. Check out Lynn’s previous Meaningful Use Monday posts.
Perhaps because in the past, CMS has issued little guidance as to exactly what constitutes a security risk analysis for meaningful use purposes, this measure has created a great deal of confusion, and in some cases angst, among providers. Some EPs worry that this measure is so comprehensive that it requires hiring a consultant, while at the other end of the spectrum, others assume that they automatically satisfy this requirement because their EHR is certified to meet the privacy and security standards specified by ONC. Neither is the case.
Core Meaningful Use Measure: Protect Electronic Health Information
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies prior to or during the reporting period.
According to CMS, this measure is not designed to introduce new security requirements above and beyond what is required for a practice to be HIPAA compliant—the HIPAA security rule already demands a security analysis and remediation. However, this does not mean that EPs should just attest “Yes” without being able to back up their attestation with documentation of the process that was undertaken and the steps take to address deficiencies.
To help clarify this for providers, ONC recently published the “Guide to Privacy and Security of Health Information,” which contains two chapters that specifically address meaningful use. It’s definitely worth a read!
As I deal in Risk Assessments, this strike a cord.
Actually, what really strike a cord is how many physicians attest without doing any risk assessment at all.
One of my first questions to a customer is “where are you in the attestation process”. I’d say about 10% of them say they are done.
Most state they didn’t realize they needed to do this…while answering the affirmative on their attestation.
Recently I got called in to do a “boots-on-the-ground” HIPAA audit. This is something that is beyond a Meaningful Use Risk assessment, yet still a good idea.
This was a multi-physician practice and I asked if they had attested.
Yes, all 10 had attested.
Where is your risk assessment?
Huh?
HIPAA compliance and your computers is confusing, but not difficult.
Playing dumb might work with your spouse, but that HIPAA auditor won’t care.
Remember RAC auditors get paid solely on the fines they bring in…what makes you think HIPAA auditors will be any different?
We assist practices every day with Security Risk Assessments and there does seem to be quite a bit of confusion around what is and isn’t required. We’ve even seen some practices paying thousands of dollars just for someone to tell them what they need to do while providing very little value.
Some advice to practices, be sure to work with someone who understands what is required to fulfill the ONC requirements and be sure to compare solutions as they vary greatly in price and content.
[…] meaningful use requirements is the Privacy and Security Risk Analysis measure. As I discussed in a past Meaningful Use Monday post, according to CMS, practices that are HIPAA compliant are likely in pretty good shape on this […]