How Do I Comply with Meaningful Use Requirements?
Your EHR or EHR components must meet ONC’s standards and implementation specifications, at a minimum, to be certified to support the achievement of meaningful use Stage 1 by eligible health care providers under the EHR Incentive Program regulations. Along with many other criteria, ONC requires that an EHR meet nine security criteria to be certified. An up-to-date list of certified EHR systems and components is posted on ONC’s website.
To receive the incentive payments, you must also demonstrate that you have met the criteria for the EHR Incentive Program’s privacy and security objective. This objective, “ensure adequate privacy and security protections for personal heath information,” is the fifth and final health policy priority of the EHR Incentive Program. The measure for Stage 1 aligns with HIPAA’s administrative safeguard to conduct a security risk assessment and correct any identified deficiencies. In fact, the EHR Incentive Program’s only privacy and security measure for Stage 1 is to:
Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process.
The EHR Incentive Program and the HIPAA Security Rule do not mandate how the risk analysis and updates should be done. Instead, this is left up to the provider or organization. There are numerous methods for performing risk analysis and risk management. Below are commonly recommended steps for performing these tasks:
The risk analysis and risk management process must be conducted at least once prior to the beginning of the EHR reporting period. You will need to attest to CMS or your State that you have conducted this analysis and have taken any corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis. Your local REC can be a resource in identifying the tools and performing the required risk analysis and mitigation.
Basics of Risk Analysis and Risk Management – CMS’ HIPAA Security Series document explains the requirements for risk analysis and risk management, the thought process behind those requirements, and possible ways to address these provisions.
Guidance on Risk Analysis Under the HIPAA Security Rule – This Office for Civil Rights (OCR) guidance document clarifies the expectations of HHS for organizations working to meet the HIPAA requirements for risk analysis.
E-mail the HealthIT e-mail box: firstname.lastname@example.org