Meaningful Use Calls for Meaningful Risk Analysis
Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.
The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.
A brief recap on the stages of meaningful use:
- Stage 1. The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government.
- Stage 2. The second state of criteria would be proposed by the end of 2011 and will focus on structured information exchange and continuous quality improvement.
- Stage 3. The last stage will focus on decision support for "national high priority conditions" and population health. Criteria will come out in 2013.
CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."
The security rule cites the NIST SP 800–30, "Risk Management Guide for Information Technology Systems," as a guide for covered entities.
"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.
And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.