I need a Security Risk
Analysis? What is that? I get calls from Chiropractors or their staff with this question every week. Here is the information and links to help you better understand Core Measure 15.
But first, from: http://www.healthit.gov/providers-professionals/certification-process-ehr-technologies
“The Office of the National
Coordinator for Health Information Technology (ONC) Certification Program
provides a defined process to ensure that Electronic Health Record (EHR)
technologies meet the adopted standards and certification criteria to help
providers and hospitals achieve Meaningful Use (MU) objectives and measures
established by the Centers for Medicare and Medicaid Services (CMS).
Eligible professionals and eligible
hospitals who seek to qualify for incentive payments under the Medicare
and Medicaid EHR Incentive Programs are required to use certified
EHR technology.”
Translation: The Certified Software you purchased
is required to meet certain criteria in order to be a Certified Technology by
the ONC. The job of the software is to help you meet all of the requirements.
They are all set up basically the same and have training requirements, video
tutorials, how-to documents, and support staff available to you. It is
important and necessary to use not only the software but to use the training
and support available to your office.
The Core Measure #15, also
referred to as “Protect Electronic Heath Information”, or “Security and Risk
Analysis”
This Core Measure has been wreaking
havoc on Chiropractors. It isn’t a number to report found on your Dashboard. It’s
a report or template that should be provided by your software company and
completed in your office during the reporting period. A security risk analysis
comprises the following parts: Risk Analysis, Risk Management, Sanction Policy,
and Information Systems Activity Review. Think of it as an audit of your software and how you and your staff are protecting
the fragile information contained therein. It should be easy to get these 4 templates
or forms, run the audit, complete the forms, and file them in a safe place. The
problem is most offices skip this step, and attest “YES” anyway. Later, when asked
by CMS to provide their Risk Analysis they fail to provide and have to pay
their incentive back.
The Measure states: “Conduct or review a security
risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1)
and implement security updates
as necessary and correct identified security deficiencies as part of its risk management
process.”
Going further, below you
will find better description of the 4 things you need:
(From: http://www.gpo.gov/fdsys/pkg/CFR-2003-title45-vol1/pdf/CFR-2003-title45-vol1-sec164-308.pdf)
164.308(a)(1)(i) Standard: Security Management Process. Implement
policies and procedures to prevent, detect, contain, and correct security
violations.
(ii) Implementation specifications:
(A) Risk analysis (Required) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity
(B) Risk management (Required) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (Link found here: http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-306.pdf)
(C) Sanction policy (Required) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
(D) Information system activity review (Required) - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
(ii) Implementation specifications:
(A) Risk analysis (Required) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity
(B) Risk management (Required) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (Link found here: http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-306.pdf)
(C) Sanction policy (Required) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
(D) Information system activity review (Required) - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
*****
More links
regarding Core Measure #15. Some are full of long explanations, but still full
of information.
http://www.hitechanswers.net/meaningful-use-measure-and-hipaa/
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
http://www.youtube.com/watch?v=ml4okcBxN6c
http://www.youtube.com/watch?v=1fDvzznChhg
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
http://www.youtube.com/watch?v=ml4okcBxN6c
http://www.youtube.com/watch?v=1fDvzznChhg
