Analyze Your Security Risk Analysis Methods
One of the most important considerations in using an electronic health record (EHR) is ensuring your patients’ health information is protected and secure. If your practice is participating in Stage 1 or Stage 2 of the Medicare and Medicaid EHR Incentive Programs, you must conduct security risk analyses of your practice to meet meaningful use requirements.
The Office of the National Coordinator’s (ONC) “Guide to Privacy and Security of Health Information” suggests ways your practice can comply with meaningful use security requirements, as outlined in core measure 15.
According to the ONC, a high-level security risk analysis process involves:
- Reviewing existing security of protected health information (PHI)
- Identifying threats and vulnerabilities
- Assessing risks for likelihood and impact of a security breach
- Mitigating security risks
- Monitoring results
There isn’t, however, a specific risk analysis method you must follow. To help organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI, the Office for Civil Records (OCR) developed “Guidance of Risk Analysis Requirements of the Security Rule.”
Note that even if your practice isn’t participating in an EHR incentive program, you’re not off the hook. The HIPAA Security Rule requires all covered entities to conduct risk analyses of their electronic PHI.
Test Your Knowledge
Are you confident in your understanding of meaningful use and HIPAA requirements for securing ePHI? There are many misconceptions that may put your practice at risk. Take this true or false quiz to assess your acumen.
True or False:
- Installing a certified EHR fulfills the security risk analysis meaningful use requirement. T or F
- EHR vendors are responsible for privacy and security issues. T or F
- A checklist will suffice for the risk analysis requirement. T or F
- You need only perform a risk analysis once. T or F
- A security risk analysis only needs to look at your EHR. T or F
Check Your Answers:
- False. Even with a certified EHR, you must perform a full security risk analysis.
- False. EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules.
- False. Checklists can be useful tools, but do not fulfill the requirement for a systematic security risk analysis.
- False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
- False. Review all electronic devices that store, capture, or modify e-PHI (including copiers).
How did you do? If you’re not so sure you have all the answers about how to ensure the privacy and security of your organization’s e-PHI, here are a few additional resources that will help boost your confidence: