In our last installment, Part Two in our series on EHR Meaningful Use, we informed cardiologists about the preparation phase for the 90-day reporting period known as "attestation." Preparing to meet the Meaningful Use measures involves understanding your eligibility as a specialist provider to collect incentives, to choose the measures by which you will be evaluated, and to get a "lay of the land." As part of this preparation, one must fully understand the importance and ramifications of Core Measure 15, a mandatory objective under the incentive program.
CORE MEASURE 15
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Are you covered?
Do you know the last time you performed a security assessment? Do you conduct assessments on a regular basis? Do you require that your business associates assess their risks prior to you doing business with them? Review the Security Checklist and Fact Sheet from the PurdueREC to see where you stand.
Assessing your risks and vulnerabilities involves reviewing who has the ability to access, modify, and distribute ePHI as well as investigating administrative and technical deficiencies in EHR systems and the devices and networks used to access the EHR. Many tools and frameworks exist to make self-assessments easier; however, an external party should be used to provide a fresh, unbiased assessment once a year or after any major infrastructure change. Once risks have been identified, they can be remediated in a number of ways, but they always should be documented and managed appropriately. Risk can be transferred to another party via insurance policies or business associate contracts, risk can be accepted as a normal course of doing business, and risk can be reduced by implementing a new policy/procedure or a technical control such as anti-virus software or firewalls.
Risk of audits
Security breaches can leave you - as a provider or practice administrator - personally liable, facing monetary fines and jail time if you knowingly fail to protect this data. The Office for Civil Rights (OCR) plans to randomly audit 2-3 Indiana-based practices per year for HIPAA compliance. OCR has hired KPMG LLP, a public accounting firm, to conduct the audits nationwide and - although the initial round of audits is being undertaken to refine the audit process - a Phoenix Cardiac Surgery group was fined $100,000 in April for violations that would have been resolved had the group uncovered its vulnerabilities and risks through a Meaningful Use security risk assessment.
In part 4 of this series next week, we will discuss what to expect during the attestation process.
If you have any questions about risk assessment methodologies or remediation strategies, contact the PurdueREC to speak with a security assessor at (765) 494-7538.If you need additional guidance, contact Caren Crum, Purdue Regional Extension Center Account Manager, at (765) 494-9204 or carencrum@purdue.edu. The PurdueREC offers specialist providers EHR Meaningful Use guidance, attestation validation/support, and security risk assessments.
Purdue University has spent the past year helping more than 2,400 Indiana primary care physicians and more than 30 hospitals as they seek to comply with the "Meaningful Use" standards associated with electronic health records systems (EHRs).
