Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.
The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.
A brief recap on the stages of meaningful use:
CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."
The security rule cites the NIST SP 800–30, "Risk Management Guide for Information Technology Systems," as a guide for covered entities.
"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.
And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.