CMS is proposing that the Protect Patient Health Information objective and its associated measure, security risk analysis, would no longer be scored as a measure but would act as a prerequisite for a participating clinician to earn any score in the Promoting Interoperability performance category.
The proposed rule, published July 27 in the Federal Register, sets forth changes to the Medicare physician fee schedule and other Medicare Part B payment policies to ensure that the CMS payment systems are updated to reflect changes in medical practice and the relative value of services, as well as changes in the law.
“To earn any score in the Promoting Interoperability performance category, we are proposing a MIPS eligible clinician would have to report that they completed the actions included in the Security Risk Analysis measure at some point during the calendar year in which the performance period occurs,” CMS explained.
CMS stressed that the security risk analysis measure includes “critical” security tasks and noted that the HIPAA Security Rule requires covered entities to conduct a risk analysis of their organization.
The HIPAA Security Rule risk analysis helps MIPS eligible clinicians comply with HIPAA’s administrative, physical, and technical safeguards.
“We still believe this objective and its associated measure are imperative in ensuring the safe delivery of patient health data. As a result, we would maintain the Security Risk Analysis measure as part of the Promoting Interoperability performance category, but we would not score the measure,” CMS said.
The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI] held by the covered entity or business associate.”
However, there has been some confusion about what OCR requires healthcare organizations to do to comply with the risk analysis mandate.
Legal experts David Gacioch and Edward Zacharias of McDermott Will & Emery said that an adequate risk analysis is one of the most commonly alleged HIPAA violations, which appears in half of the settlements OCR has announced in the last year and in nearly all of the settlements of $1 million or more.
“I don’t think there has been enough education around what constitutes a compliant risk analysis from the government’s perspective. Some of the guidance has been confusing,” Zacharias told HealthITSecurity.com.
Gacioch noted that cost could also be a factor in the failure of healthcare organizations to meet the HIPAA risk analysis requirements.
- “Doing what OCR deems to be a compliant risk analysis can be a pretty expensive undertaking,” he told HealthITSecurity.com. OCR’s formal estimate of the time it should take to complete a HIPAA risk analysis is “not realistic” to meet the office’s real standard for compliant risk analysis, he said.
A risk analysis is not to be confused with a gap analysis, noted Gacioch. He observed that “risk analysis is focused on how your IT infrastructure works and how it protects the ePHI that is created, transmitted, and received in it,” whereas “gap analysis is focused on how you comply with HIPAA or some other standard of conduct.”
In its April Cyber Security Newsletter, OCR explained that a gap analysis can be employed to discover where problems exist in securing ePHI but stressed that it is not a substitute for a comprehensive risk analysis required by the HIPAA Security Rule.
The risk analysis is used to make modifications to the ePHI system to reduce risks and ensure confidentiality, integrity, and availability of ePHI, OCR noted.
“A gap analysis is typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis,” according to OCR.
Resources for conducting a risk analysis are available on OCR’s website. In addition, the office’s HIPAA audit protocol is available on its website to provide guidance for covered entities and business associates.