Meaningful Use Calls for Meaningful Risk Analysis
Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.
The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.
A brief recap on the stages of meaningful use:
- Stage 1. The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government.
- Stage 2. The second state of criteria would be proposed by the end of 2011 and will focus on structured information exchange and continuous quality improvement.
- Stage 3. The last stage will focus on decision support for "national high priority conditions" and population health. Criteria will come out in 2013.
CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."
The security rule cites the NIST SP 800–30, "Risk Management Guide for Information Technology Systems," as a guide for covered entities.
"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.
And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.
- CMS Sets 2014 Pay Rates for Hospital Outpatient and Physician Services
- FDA hopes hospitals will switch to newly regulated pharmacies
- Not-for-Profit Hospitals Find Opportunity Amid Uncertainty
- The 5 Biggest Healthcare Finance Trouble Spots
- The Most Polarizing Topics in Healthcare IT
- New G-Code to Pay Doctors for Broad Array of Non-Face-to-Face Care
- Why You Should Involve Patients in Nursing Handoffs
- How CPOE Will Make Healthcare Smarter
- States Rejecting Medicaid Expansion Forgo Billions in Federal Funds
- Safety Net Executives Renew Call to Preserve DSH Payments