One of the Meaningful Use criteria is to conduct a security risk analysis of one’s Electronic Health Record (EHR) system. This is a core requirement, and there are no exemptions from this item.
The specific Meaningful Use measure is: Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
What, exactly, does this entail? Looking at 45 CFR 164.308(a)(1), one can see that a “covered entity” (any HIPAA-covered entity) must “implement policies and procedures to prevent, detect, contain, and correct security violations.” The implementation specifications for this consist of 4 parts:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
In order to help providers carry this out, the Office of the National Coordinator for Health IT (ONC) has published a resource, the Small Practice Security Guide, which can be helpful. This resource lists a series of “Questions to Ask Yourself” for each of the elements – for the Risk Analysis section, for example, there are questions for each of the categories of confidentiality, integrity, and availability.
We have put together the “Questions to Ask Yourself” into a series of tables, with responses based on our web-based EHR product. These are included in a Security Toolkit, under 4 sections.
The first section (Attachment A: Risk Analysis) has 3 tables, addressing the Questions around confidentiality, integrity, and availability.
The second section (Attachment B: Identifying Safeguards) has 3 tables, addressing the Questions around administrative safeguards, physical safeguards, and technical safeguards.
The third section (Attachment C: Sanction Policy (sample)) contains a sample of an employment policy with regards to implementing sanctions against any failure to comply with the security policies identified above. The sample Sanction Policy is adapted from a brief published by the American Health Information Management Association (AHIMA) in 2009.
The fourth section (Attachment D: Audit Log review) contains a sample record to document periodic review of the Audit Log in the Practice Fusion product, and document any findings.
We feel that this Toolkit can be a valuable asset for practice administrators (or whomever is responsible for privacy and security within a practice), and is intended to be printed out and kept as documentation. Reviewing and checking answers to each of these items constitutes good-faith efforts to demonstrate a security risk review, and will stand as evidence supporting attestation of the Meaningful Use criteria. We suggest the practice print out the attachments, check, sign and date them, and keep them for reference.
Robert Rowley, MD
Chief Medical Officer
Practice Fusion EMR
Pingback: Buy Facebook Fans