While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it is also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although it is a starting point, the risk assessment is really just a step toward the goal of complete compliance that will be required and continually enforced in the near future.
The HIPAA Security Rule specifically focuses on the safeguarding of ePHI and is the most comprehensive guideline regarding protected health information. All HIPAA-covered entities, which includes some federal agencies, must comply with the rule, which focuses on protecting the confidentiality, integrity, and availability of ePHI. The ePHI that a covered entity creates, utilizes, archives, or transmits must be protected against reasonably anticipated threats, hazards, and unauthorized disclosure. Specifically, the Security Rule applies to all covered entities including covered healthcare providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors; although the HITECH Act has extended this liability to third parties that interface with the organization's ePHI.
The one measure related to security in the Meaningful Use guidelines is Core Measure 15 for Eligible Providers (EPs). The measure stipulates that healthcare providers must conduct a risk assessment; but in its totality, there are three basic areas that comprise the Meaningful Use Security Rule as part of rule 164.308.
The first conducting a security risk analysis is already required by HIPAA. Some of the key questions to ask regarding this requirement are:
- How thorough was the initial risk analysis, if any?
- What methodology was used?
- Did it just cover your organization, or were third parties also examined?
This is important to note since the HITECH Act added rules mandating that the security rule applies not only to the covered entity but also to business associates who interact with your ePHI.
Secondly, the risk analysis should be updated annually. As the media has sensationalized almost daily, constant threats are emerging of an always increasing scale and sophistication, so having a process in place to proactively monitor these threats regularly is essential. Each year, the original benchmark analysis should be revisited, and a vulnerability management program should be implemented to find, test, and deploy necessary fixes and security interventions that arise.
Mobile devices present a special concern since more than 85 percent of physicians have expressed a desire to be able to access ePHI anytime, anywhere, and on any device. And since a significant portion of these devices is not currently encrypted or tracked on most networks, it is sometimes difficult to fully comprehend what the level of risk is without understanding the demands these disparate devices place on having layered security, policies, controls, and procedures in place.
The third requirement is correcting security deficiencies. This is already a familiar concept in the world of healthcare since patient safety, financial risk, and occupational hazards are all tracked and measured. This same strategy needs to be applied to security risk management. And not all of these measures are necessarily technical. Process oversight, training, and account management are just as necessary to keep a streamlined risk management program in place. Overall, the 164.308 measure also encompasses 164.306, which dictates that covered entities must also apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures and implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Organizations participating in the EHR Meaningful Use plan already have a compelling incentive to "conduct or update a security risk analysis." But simply pushing the organization to meet Meaningful Use with the singular goal of collecting incentive payouts does not prepare the organization for inevitable future audits and to mitigate the additional risks posed by online data access, mobile devices, Health Information Exchanges, Accountable Care Organizations, increased abilities of hackers, and the increased demands placed on organizations from macroeconomic trends such as aging of the population.
There are fundamental components of any assessment: understanding what controls are currently in effect, determining the impact of likely events from viruses to natural disasters, and documenting exposures and vulnerabilities, not only in systems but also in processes. A healthcare organization's assessment program should consider questions regarding the controls that are implemented to safeguard the systems and information, and the physical facility and surrounding environment as well.
We have the answer and are prepared to help you. We at HCP have the tools to help you with the seemingly overwhelming task of conducting a risk analysis to satisfy HIPAA Security and Meaningful Use.