Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

CMS’ HIPAA Risk Analysis Myths and Truths

Posted on October 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

MU Core Measure: Conduct a Security Risk Analysis – Meaningful Use Monday

Posted on May 21, 2012 I Written By

Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money.

Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money. Check out Lynn’s previous Meaningful Use Monday posts.

Perhaps because in the past, CMS has issued little guidance as to exactly what constitutes a security risk analysis for meaningful use purposes, this measure has created a great deal of confusion, and in some cases angst, among providers. Some EPs worry that this measure is so comprehensive that it requires hiring a consultant, while at the other end of the spectrum, others assume that they automatically satisfy this requirement because their EHR is certified to meet the privacy and security standards specified by ONC. Neither is the case. 

Core Meaningful Use Measure: Protect Electronic Health Information

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies prior to or during the reporting period. 

According to CMS, this measure is not designed to introduce new security requirements above and beyond what is required for a practice to be HIPAA compliant—the HIPAA security rule already demands a security analysis and remediation. However, this does not mean that EPs should just attest “Yes” without being able to back up their attestation with documentation of the process that was undertaken and the steps take to address deficiencies. 

To help clarify this for providers, ONC recently published the “Guide to Privacy and Security of Health Information,” which contains two chapters that specifically address meaningful use. It’s definitely worth a read!

Another Way Meaningful Use Won’t Work “Out of the Box”

Posted on November 8, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One good thing that could come out of my post about Meaningful Use Attestation Issues is that it will hopefully awaken providers to realize that meeting the meaningful use requirements requires more than just opening your proverbial “EHR software box.” Indeed, you have to do a fair amount of work to make sure that you’re using your EHR software in the right way to meet the meaningful use measures.

In fact, in response to that post, Mike Regan from ACR2 Solutions pointed out one meaningful use requirement that an EMR software can’t accomplish.

The company I work with focuses on Risk Assessments for the HIPAA Security Rule and Meaningful Use Item 15. We found a number of EMR vendors who guaranteed their clients that all that the client needed to do for Item 15 is install their EMR software. Most folks would realize that an EMR software package cannot accomplish a Risk Analysis required by 45 CFR 164. Granted the EMR vendor can ensure that the data is encrypted and access properly controlled but that is about all they can do. How would the EMR software know about the client’s written HIPAA Security Rule policies? We contacted many of the vendors to make them aware of a potential problem with their marketing pitches. As recent as a month ago, we found a sales rep for a major EMR vendor, still spouting the “just install our software that is all you need for Meaningful Use” marketing pitch. We even pointed out to him that his own CTO had recanted that pitch and now the legal department has added verbage to the sales agreement indicating that their clients must meet the requirements of privacy and security laws.

We have informed CMS of the problem and they are looking into the issue. The recent OIG tasking to review Meaningful Use recipients to ensure that they met the requirements may have been the outcome. I’m certain that there are a number of providers who have attested that they have completed Item 15 who have not completed a proper Risk Assessment based on this erroneous guidance from EMR vendors. While I doubt there would be legal action taken by CMS given that the provider acted in good faith and was mislead by the marketing pitch, what action would be taken against the provider remains to be seen.

Yes, this is going to get very interesting indeed. I guess people should know that they have to dot all their i’s and cross all their t’s when they’re getting money from the government. I have a feeling a bunch of basically innocent people are going to get hurt by things like this. Although, I am cautiously hopeful that CMS will be reasonable with it all.