Invite a Friend

Sitemap

Home

Technology
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe

Sponsored

Departments

Follow Us

Home > Technology > Tech News & Analysis

Meaningful Use Calls for Meaningful Risk Analysis

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, February 1, 2010

Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.

The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.

A brief recap on the stages of meaningful use:

Stage 1. The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government.

Stage 2. The second state of criteria would be proposed by the end of 2011 and will focus on structured information exchange and continuous quality improvement.

Stage 3. The last stage will focus on decision support for "national high priority conditions" and population health. Criteria will come out in 2013.

CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."

The security rule cites the NIST SP 800–30, "Risk Management Guide for Information Technology Systems," as a guide for covered entities.

"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.

And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.

1 | 2

Email to a colleague

RSS

News Widget

Archive

Printer Friendly

Be the first to make a comment

Comments are moderated. Please be patient.

Stage 2 meaningful use to show ’deference’ to panel proposals

The rule that details the requirements for stage 2 of meaningful use will "look a lot like" the measures that the Health IT Policy Committee recently endorsed, said Farzad Mostashari, MD, the national health...

State HIEs wrangle with thorny ’patient consent’ issue

Oregon and Illinois are two states that will launch their initial health information exchange core services in early 2012. Both states will shortly publish contractor proposals to help them develop the...

Opinion: Why Google Health really failed: It's about the money

As reported on TechCrunch, Google shut down its medical records and health data platform. Since then, there's been a lot of bits spilled offering explanations, but they all missed the most critical item...

Audioconference: Leverage the Value of your EHR

This 90-minute audio conference helps your organization leverage additional value from your EHR to not only meet your quality improvement goals but also qualify for CMS Meaningful Use...

go to complete list