Meaningful Use Attestation for Security Risk Analysis
One of the meaningful use core objectives for Eligible Professionals and Eligible Hospitals is to protect electronic health information created or maintained by a certified EHR through the implementation of appropriate technical capabilities. There are no exclusions to this objective for either professionals or hospitals. To attest to this objective you must answers “Yes”. When you answer yes, you are saying you have conducted a Security Risk Analysis. Specifically the measure for the objective is to “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
The HIPAA Privacy Rule establishes national standards to protect people’s medical records and personal health information. The Rule requires “appropriate safeguards” to protect the privacy of personal health information (PHI) along with the ways disclosures of this information can be made with and without the individual’s authorization. Within the Privacy Rule is the HIPAA Security Rule. This establishes national standards to protect people’s electronic personal health information when it is obtained or maintained by a covered entity. It requires “appropriate administrative, physical and technical safeguards” to protect the integrity and security of electronic health information. The Office for Civil Rights (OCR) has issued guidance on provisions of the HIPAA Security Rule and one is the requirements for the risk analysis.
To successfully attest to meaningful use you must conduct or review a security risk analysis of your certified EHR and implement updates as necessary at least once before the end of the reporting period being attested. Review must then take place before each reporting period that follows. Security updates are required when any security deficiencies or breeches are identified during a risk analysis.
CMS has also defined “Appropriate Technical Capabilities” for consideration when completing the objective requirement and attesting to meaningful use. It is “a technical capability would be appropriate if it protected the electronic health information created or maintained by the certified EHR technology. All of these capabilities could be part of the certified EHR technology or outside systems and programs that support the privacy and security of certified EHR technology”.
If you are looking for a meaningful use resource for medical offices that addresses all meaningful use requirements including core measure 15 for Security Risk Analysis, The Incentive Roadmap® is acknowledged as one of the most comprehensive guides available. New version 4.0 is on sale now in our.