November 23, 2016

Meaningful Use, Security Risk Assessments, and HIPAA: How Do They Interact?

Kira Caban

Meaningful use of electronic health records (EHRs) has been an important topic in the healthcare world since the federal government introduced the Meaningful Use (MU) Program to encourage healthcare organizations to adopt EHRs. Organizations have had to ensure that they are using certified EHR technology and that they are meeting all the security requirements outlined by the MU guidelines. Let us take a look at the top 5 things you should know about security, privacy, and the MU Program.

The Patient Privacy Primer helps organizations learn where they are on the spectrum of privacy programs, from basic to full throttle. Learn where your organization stands so you best protect your EHR system from threats to patient data.

1. What is the Meaningful Use Program?

The Medicare and Medicaid EHR Incentive Program, or Meaningful Use Program, is a program designed to encourage all eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) to switch from paper records to certified EHRs. The objective of the program is for healthcare organizations to do more than simply adopt electronic records, however; it is designed to encourage organizations to adopt, implement, upgrade (AIU), and demonstrate meaningful use of certified EHR technology. In order to accomplish this, the federal government is providing incentives for organizations to join the program and penalties for those that do not. It is possible for a healthcare organization to receive as much as $44,000 through Medicare and $63,750 through Medicaid in incentives. Furthermore, beginning in 2015, organizations that have not demonstrated meaningful use of EHRs are penalized for not participating in the program.

2. Required Security Risk Assessments

In order to receive the benefits of the MU Program, a healthcare organization must perform a security risk assessment. A security risk assessment (SRA) is a detailed examination and analysis of what protected health information (PHI) is vulnerable, what the most likely threats to that information are, and what the potential impact of those threats would be. At a high level, these assessments are intended to protect patient privacy and prevent inappropriate access to the EHR. It’s important to note that while an SRA for the purpose of HIPAA compliance will fulfill MU requirements, an SRA per the MU requirements will not necessarily fulfill the need for one under HIPAA. The Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) created a SRA tool to help small and medium organizations perform a security risk assessment. The OCR deliberately left the exact details of how an organization would conduct a risk assessment to the individual organizations so that they can customize it for their specific needs, but all SRAs must include the basic elements of a risk assessment below:

  • Identifying where electronic PHI is stored, received, maintained, and transmitted
  • Identifying potential threats and vulnerabilities
  • Assessing current security measures, the probability of a threat occurring, and the potential damage of a threat
  • Determining the level of risk of any identified threats
  • Documenting the entire process

3. Addressing a Completed SRA

Once a healthcare organization has conducted a security risk assessment, it must create an action plan to implement reasonable and appropriate administrative, physical, and technical safeguards to address the vulnerabilities identified by the SRA. HHS has created guidelines to help an organization meet the requirements of both the HIPAA Security Rule and the MU Program that can be found here. A boiled down explanation of the HIPAA Security Rule is available in and earlier Protenus blog post. There are some examples of safeguards that an organization can implement to address its SRA:

Physical – How is the facility secured?

  • Are there alarm systems?
  • Are offices locked when not in use?

Administrative – How is the workforce organized?

  • Is there a designated security officer?
  • Are employees properly trained on privacy policies?
  • Are those privacy policies being enforced?

Technical – How are EHRs accessed?

  • Is data encrypted and are passwords secure?
  • Are scans being performed to detect malware?
  • Are users who access EHRs being monitored?

These are but a few examples of things a healthcare organization can do to address the vulnerabilities identified by a SRA and are among some of the best ways to protect hospital medical records.

4. Certified EHR Technology is Not Enough

One common myth regarding the MU guidelines is that installing certified EHR technology is all a healthcare organization needs to do in order to meet the requirement of conducting a security risk assessment. However, as the examples above illustrate, a SRA is an examination of more than simply EHRs themselves; it also looks at how an organization is structured, how EHRs are secured, and how they are accessed. Thus, simply installing certified EHRs would not fulfill the SRA requirement.

Another common myth is that an EHR vendor has already taken care of all aspects of EHR privacy and security. These vendors are not responsible for ensuring that their products meet the requirements of the HIPAA Security Rule or the MU guidelines. It is up to the healthcare organization to be proactive in making sure that their EHR systems are HIPAA and MU compliant.

5. SRAs Are an Ongoing Process, Not an Annual Checklist

Finally, security risk assessments cannot be something that an organization does once after it initially adopts EHRs and then never worries about them again. Even an annual security risk assessment is insufficient to meet the MU requirements because these guidelines specify that an organization must implement security updates as necessary and correct identified security deficiencies as part of the risk management process.  As new technologies and processes are added to your health system, and as the threat landscape changes, so must your organization change.

EHR security must be a continuous process, one that is relentlessly identifying new threats and addressing new vulnerabilities. Only by doing so can a healthcare organization demonstrate that it is serious about patient privacy. And to ignore these requirements – by, for example, only conducting a SRA annually – is to gamble with the personal and sensitive information of thousands or even millions of patients, individuals who will be forced to invest a large amount of time and money simply putting their lives back together in the event of a health data breach.

Learn where your organization is on the spectrum of patient privacy programs to help better equip your organization to withstand common threats to the EHR.

Download Privacy Primer