Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Meaningful use, risk analysis and protecting electronic health information
1. Meaningful Use, Risk Analysis and Protecting
Electronic Health Information
Registration begins this week for the Medicare and Medicaid Electronic Health Records (EHR) incentive
programs. With the programs contingent on “meaningful use” of certified EHR technology, the big question
now is how to achieve meaningful use. According to a mid-november survey by the College of Health
Information Management Executives (CHIME) released on December 9, 2010, this won’t be easy: “The vast
majority of CIOs– 82 percent – report that they still continue to have concerns related to meeting meaningful
use objectives and qualifying for stimulus funding.”
The Centers for Medicare & Medicaid Services (CMS) which administers the programs for the U.S. Department
of Health & Human Services, will phase into meaningful use by defining 3 sets of criteria for achieving
meaningful use over the next 5 years. The requirements for Stage 1 of meaningful use are defined by the CMS.
While these vary for eligible professionals or eligible hospitals and critical access hospitals (CAHs), protecting
electronic health information is a core objective that must be met to achieve EHR meaningful use for any
entity.
CMS defines this core objective as follows:
Objective: Protect electronic health information created or maintained by the certified EHR technology through
the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR
164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part
of its risk management process.
A risk analysis is called out in 45 CFR 164.308 (a)(1)(A) as follows:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health information held by the covered entity.
HHS has provided some guidance on Risk Analysis which allows for some interpretation for compliance as
noted in the following excerpts:
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis
requirement.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
2. We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that
methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule
identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes
several objectives that any methodology adopted must achieve.
The upside of the latitude provided is that if the spirit and intent of the Risk Analysis is maintained as an
objective, a healthcare entity can leverage practical and cost effective approaches to achieving HIPAA Security
Rule compliance, meaningful use, as well as minimize the risk of a HITECH Act data breach notification.
Here are a couple of resources for effective approaches to addressing the Risk Analysis requirement for
meaningful use:
HIPAA Risk Analysis summary provides a fast-track approach to addressing the meaningful use Risk analysis
requirement.
Redspin Healthcare Information Security Assessment Services provides an overview of the HIPAA Security Rule
and the key components that map to a Risk Analysis.
The diagram below adds some perspective to the Security Rule and Risk Analysis as it relates to
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
3. .
Written by Redspin CEO, John Abraham
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM