Risk Analysis Requirements
The Security Management Process standard in the Security Rule requires organizations to “[I]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. 164.308 (a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by your practice.
Tier3MD will have a HIPAA consultant assess your practice, covering the following standards.
Have you attested to meeting the requirements for Stage 1 meaningful use? If so, have you had a security risk assessment completed? If not, you have not met the requirements for meaningful use stage 1. the rule clearly states:
“Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process.”
The EHR Incentive Program and the HIPAA Security Rule do not mandate how the risk analysis and updates should be done. Instead, this is left up to the provider or organization. There are numerous methods for performing risk analysis and risk management. Below are commonly recommended steps for performing these tasks:
- Identify the scope of the analysis
- Gather data
- Identify and document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Determine in the level of risk
- Identify security measure and finalize documentation
- Develop and implement a risk management plan
- Implement security measures
- Evaluate and maintain security measures
The meaningful use risk assessment process must be conducted at least once prior to the beginning of the EHR reporting period. You will need to attest to CMS or your State that you have conducted this analysis and have taken any corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis. Your local REC can also be a resource in identifying the tools and performing the required risk analysis and mitigation.
If you have not completed your meaningful use risk assessment, call Tier3MD today to schedule your security risk assessment.