Healthcare organizations moving toward adapting certified EHR technology that meets CMS' "meaningful use" definition and qualifies for government incentives must conduct a risk analysis.
The proposed rule for the Medicare and Medicaid EHR incentive says that in Stage 1 of meeting the criteria for certified EHR, eligible providers are to attest that a risk analysis has been conducted and reviewed.
A brief recap on the stages of meaningful use:
- Stage 1. The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government.
- Stage 2. The second state of criteria would be proposed by the end of 2011 and will focus on structured information exchange and continuous quality improvement.
- Stage 3. The last stage will focus on decision support for "national high priority conditions" and population health. Criteria will come out in 2013.
CMS stresses the need for an internal risk assessment in its meaningful use proposed rule. It refers organizations back to the HIPAA Security Rule requirement, which says a risk analysis helps "form the foundation upon which an entity's necessary security activities are built."
The security rule cites the NIST SP 800–30, "Risk Management Guide for Information Technology Systems," as a guide for covered entities.
"An entity must identify the risks to and vulnerabilities of the information in its care before it can take effective steps to eliminate or minimize those risks and vulnerabilities," according to the security rule.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says in conducting the required risk analysis, covered entities may have been less than aggressive in completing these. Likely, a significant number of covered entities did not do so, he adds.
And many organizations' HIPAA compliance leaders in 2003 may have left, so the risk assessment may have never been updated.
It's a good time to check on this, and if you haven't done so, use these three tips provided by Ruelas to get your organization's risk assessment going:
Don't overthink it. Decide if this is something you will do in-house or externally. "Too often people get stuck deciding how they wish to proceed, including at the beginning," Ruelas says. "Sometimes doing some basic homework, such as reading through the CMS Security Series newsletters, can help people decide which route to take."
Be realistic. If a covered entity is located in the middle of the desert, the folks doing the analysis don't need to spend much time evaluating the threat potential of floods caused by a hurricane or power disruption to the utility lines caused by heavy snowstorms. When putting together a list of risks, weed out those that have no applicability. Often, people put together their initial lists of potential threats through brainstorming sessions. "Don't delete anything from these lists until after brainstorming is completed since during brainstorming the goal is to generate as many ideas as possible," Ruelas says.
Try to involve all layers of individuals that may be affected (IT administrators, techs, end users). Often different people will offer different perspectives based on their experience. The more perspectives offered, the better chances of getting a finer picture of how folks may perceive similar threats. For example, an IT infrastructure that allows for power failures to be backed up by uninterrupted power supplies may appear seamless to an end user who may not ever know that power had been disrupted.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.