HIPAA and Stage 1 Meaningful Use
HIPAA Security Risk Analysis and Meaningful Use
One of the Stage 1 meaningful use core objectives for Eligible Professionals and Eligible Hospitals is to protect electronic health information created or maintained by a certified EHR through the implementation of appropriate technical capabilities. There are no exclusions to this objective for either professionals or hospitals. To attest to this objective you must answers “Yes”. When you answer yes, you are saying you have conducted a Security Risk Analysis. Specifically the measure for the objective is to “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
The HIPAA Privacy Rule establishes national standards to protect people’s medical records and personal health information. The Rule requires “appropriate safeguards” to protect the privacy of personal health information (PHI) along with the ways disclosures of this information can be made with and without the individual’s authorization. Within the Privacy Rule is the HIPAA Security Rule. This establishes national standards to protect people’s electronic personal health information when it is obtained or maintained by a covered entity. It requires “appropriate administrative, physical and technical safeguards” to protect the integrity and security of electronic health information. The Office for Civil Rights (OCR) has issued guidance on provisions of the HIPAA Security Rule and one is the requirements for the risk analysis.
An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
The SP 800-30 document was created by the National Institute of Standards and Technology and is public domain (not subject to copyright).
NIST 800-30 document – Risk Management Guide for Information Technology Systems
Protecting Health Information
Core objective #12 requires an EP provide patients with an electronic copy of their health information (including diagnostics test results, problem list, medication lists, medication allergies) upon request. To meet this objective they must attest to more than 50% of all patients who request an electronic copy of their health information are provided it within 3 business days. An exclusion for this objective is any EP that has no requests from patients or their agents for an electronic copy of patient health information during the EHR reporting period. Under the HIPAA Privacy Rule, patients have a right to view and obtain a copy of their protected health information (PHI) in your designated record set, including information stored in your EHR.