Healthcare organizations need to remain up-to-date on the guidelines for proper security risk analysis.
- Conducting a security risk analysis is part of the core objectives that healthcare organizations must meet for Stage 1 and Stage 2 Meaningful Use. Security risk analysis can also help facilities remain HIPAA compliant in administrative, physical and technical safeguards. Moreover, healthcare organizations can also discover any areas where this electronic protected health information (ePHI) could be at risk.
The Centers for Medicare and Medicaid Services (CMS) recently released new guidance on when security risk analysis needs to be conducted or reviewed. An analysis needs to be completed during each program year, but now the steps may be completed outside or during the EHR reporting period timeframe, according to CMS. However, they must take place no earlier than the start of the reporting year and no later than the end of the reporting year.
“For example, a EP who is reporting Meaningful use for a 90 day EHR reporting period may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed no earlier than January 1st and no later than December 31st of the EHR reporting year,” CMS explained.
It is still important to note though that it is required to conduct a security risk analysis when certified EHR technology is adopted in the first reporting year. Moreover, a review needs to be completed in subsequent reporting years or when changes to the practice or electronic systems take place. Additionally, any security updates and deficiencies identified in the review should be included in the provider’s risk management process and implemented or corrected as necessary.
Reviewing the basics
Even as CMS fine tunes its requirements for the security risk analysis process, it is important to remain current on the main key points for healthcare organizations. HealthITSecurity.com decided to outline the basics for eligible professionals (EP), eligible hospitals and critical access hospitals (CAH).
For starters, there is no single method or “best practice” that guarantees compliance. However, reviewing the existing security infrastructure, identifying potential threats and prioritizing risks are all crucial steps to take, according to CMS.
From there, organizations should create an action plan.
“Your action plan will involve a review of your electronic health information system to correct any processes that make your patients’ information vulnerable,” CMS said. “Make sure your analysis examines risks specific to your practice. For example, how do you store patient information – on an EHR system in your office, or on an Internet-based system? Each scenario carries different potential risks.”
Protecting patients’ electronic protected health information (ePHI) is a top priority. Healthcare facilities must develop and implement safeguards to mitigate or lower the risks to their ePHI. Additionally, the HIPAA Security Rule requires organizations to implement “reasonable and appropriate administrative, physical and technical safeguards” to protect patients’ ePHI.
Other security areas to consider are policies and procedures, as well as organizational requirements. For example, healthcare facilities should develop and implement written policies and procedures to assure HIPAA security compliance. It is also important to create documentation of security measures.
Organizational requirements consist of business associate agreements. This can involve creating a plan for identifying and managing vendors who access, create or store PHI. Moreover, this can be an agreement review and updates for the covered entity and its business associate.
Overall, a security risk analysis or review needs to be conducted during each EHR reporting year for healthcare organization’s completion of Stage 1 and Stage 2 Meaningful Use. This ensures that patients’ ePHI remains private and secure.
The Office for Civil Rights also has guidance for healthcare organizations on security risk analysis. Click here for more information.