Chat with us, powered by LiveChat

Meaningful Use 2015: When does the Security Risk Analysis Need to be Done?

MU reporting screen 2012

Image Courtesy of HHS

Quick History

Meaningful Use (MU) is an incentive program introduced and managed by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) to help cover expenses with migrating from paper charts to electronic medical records.  It’s part of a larger incentive program derived from the 2009 “American Reinvestment and Recovery Act” which was enacted to help stymie a financial system collapse while stimulating the economy following the mortgage-backed security crisis.

Most clinics and hospitals have become very familiar with the “Meaningful Use” term.  Essentially, it means using a Certified Electronic Health Technology (CEHRT) in a meaningful way.

Specifically, the Meaningful Use incentive program for Stage 1 started in 2011 and Stage 2 has been live for 2 years now, while Stage 3 is being released.  All Stages require Core, Menu and Optional Menu Set measures.  This basically boils down to specific pieces of information maintained per-patient, how computerized order entries are used and processed for a percentage of patients.

The reporting period is when the measures are taken.  In the first year of attestation, it is any 90-day period in the fiscal year, subsequent years are based upon 365 days of reporting.  Recent proposed changes reduce the reporting period back to the original 90-day measurement period per CMS.

When do we have to get our HIPAA Security Risk Analysis(SRA) and Updates done?

To help accelerate the response, Stage 1 stated an SRA can be completed prior to reporting.  But it doesn’t explicitly state when the earliest is that it can be done (i.e. within 1 calendar or fiscal year).     Per the CMS guidance on Stage 1 MU guidance for Hospitals, “Eligible Hospitals (EH) and CAHs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the EHR reporting period.”

HIPAA One® take:

The initial risk analysis for 1st year of Stage 1 MU can have it done within one fiscal year of the end of the reporting period.

Security updates do not mean updates to the remediation plan (i.e. risks identified in the risk analysis)!  Security updates are defined as, per the DHHS Privacy and Security Guide, Chapter 2 under Myths and Facts:

HHS Privacy and Security Guide, page 6

Myth:  Each year, I’ll have to completely redo my security risk analysis.
Fact:  False.

Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.  Under the Meaningful Use Programs, reviews are required for each EHR reporting period.  For Eligible Physicians (EPs); the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of commencing participation in the program.

HIPAA One® take:

A full HIPAA Security Risk Analysis covers all 78 HIPAA Safeguards.  Subsequent “updates” would be directly translated to run a full SRA on all items that have changed.  Our software has the ability to populate this year’s SRA with last year’s materials (Turbo Tax® – like) such that users may review and update changes from last year and recompiling risk to the organization with minimal effort.

Stage 2 and subsequent years, requires the SRA update to be done in the reporting period).  Per the CMS guidance on Stage 2 MU for Core Measure 9 for Eligible Providers , ” EPs must conduct or review a security risk analysis of CEHRT including addressing encryption/security of data, and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.”

HIPAA One® take:

HIPAA One® is the solution to simplifying complex compliance requirements.  It provides seasoned security experts and those without any security experience the ability to conduct a full HIPAA Security Gap Assessment and Risk Analysis and rapid delivery of updates for subsequent years.   We recommend a full SRA be conducted at least every 3 years with updates each of the years in-between.  This is the only way to gauge compliance and the effectiveness of ongoing risk management for the organization.  For Meaningful Use, the 1st year of incentive payments allow the use of a HIPAA SRA that is within 1 year of attestation, and subsequent updates being completed within the subsequent reporting periods.

 

Speak Your Mind

*