In a recent Tweet, the Office of the National Coordinator for Health Information Technology (ONC) stated: “Move into the 21st Century and check out the Privacy & Security 10-Step Plan before you implement an Electronic Health Record.” ONC makes the following recommendation to an Eligible Professional (EP) covered entity participating in the Medicare and Medicaid Financial Incentive Program for Adoption and Meaningful Use of Certified Electronic Health Record (EHR) Technology: “An EP must meaningfully use certified EHR technology for an EHR reporting period, and then attest to CMS [the Centers for Medicare & Medicaid Services] that he or she has met meaningful use for that period. Start your 10-step process at least 90 days before you begin the EHR reporting period.”
The outline of the 10 steps for Meaningful Use are:
1. Confirm that you are a covered entity.
2. Provide leadership [Most importantly, appoint a Privacy Official and a Security Official, which may be the same person, depending upon the scale of your practice].
3. Document your process, findings, and actions [Most importantly, you must document in writing (which may be electronic) your privacy and security policies and procedures].
4. Conduct a security risk analysis.
5. Develop an action plan [to mitigate identified threats and vulnerabilities to your electronic systems and electronic protected health information].
6. Manage and mitigate risks [by implementing your action plan].
7. Prevent breaches with eduction and training of your workforce.
8. Communicate with patients about the confidentiality and security of their protected health information.
9. Update business associate agreements [to include HITECH Act Breach Notification requirements].
10. Attest for the Security Risk Analysis Meaningful Use Objective.
The Stage 1 Meaningful Use Core Objective and Measure 15 are:
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. [The Stage 1 technical capabilities relate to: access control, emergency access,automatic log-off, audit log, integrity, authentication, general encryption, encryption with when exchanging electronic health information, accounting of disclosures (optional)].
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 160.308(a)(1) [HIPAA Administrative Safeguard Standard: Security Management Process] and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Attestation, Core Measure 15 (Yes or No Response): Have you conducted or reviewed a security risk analysis per 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of your risk management process?
“Providers …can only attest after they have met the meaningful use requirements for an EHR reporting period. Only attest for an EHR incentive program, after you have fulfilled the security risk analysis requirements and have documented your efforts. … “When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.” CMS attestation Audits began in Summer 2012.
Chapter 3 of ONC’s Guide to Privacy and Security of Health Information: 10 Step Plan for Meeting Privacy and Security Portions of Meaningful Use concludes (p.26): “If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high-likelihood risks.”
In addition to the Meaningful Use Audit program as it pertains to the Stage 1 Core Objectives, including security, under auspices of CMS, also be aware of the HIPAA Privacy & Security Audit Program conducted under auspices of the Office for Civil Rights (OCR) of the Department of Health and Human Services, which HIPAA.com has discussed in earlier postings. HIPAA.com noted at the beginning that ONC recommends giving yourself at least 90 days to conduct security compliance activities as they pertain to attestation, and even longer to meet HIPAA privacy, security, and breach notification implementation specifications as well. Take this new climate of privacy and security enforcement and increased probability of audit of risk analysis, policies and procedures, and workforce training seriously.