• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

ONC Touts its 10 Step Plan for Meeting Meaningful Use Privacy and Security Attestation Requirements

December 4, 2012 American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Meaningful Use, Privacy, Security No Comments

In a recent Tweet, the Office of the National Coordinator for Health Information Technology (ONC) stated:  “Move into the 21st Century and check out the Privacy & Security 10-Step Plan before you implement an Electronic Health Record.”  ONC makes the following recommendation to an Eligible Professional (EP) covered entity participating in the Medicare and Medicaid Financial Incentive Program for Adoption and Meaningful Use of Certified Electronic Health Record (EHR) Technology:  “An EP must meaningfully use certified EHR technology for an EHR reporting period, and then attest to CMS [the Centers for Medicare & Medicaid Services] that he or she has met meaningful use for that period.  Start your 10-step process at least 90 days before you begin the EHR reporting period.”

The outline of the 10 steps for Meaningful Use are:

1.   Confirm that you are a covered entity.

2.   Provide leadership [Most importantly, appoint a Privacy Official and a Security Official, which may be the same person, depending upon the scale of your practice].

3.   Document your process, findings, and actions [Most importantly, you must document in writing (which may be electronic) your privacy and security policies and procedures].

4.   Conduct a security risk analysis.

5.   Develop an action plan [to mitigate identified threats and vulnerabilities to your electronic systems and electronic protected health information].

6.   Manage and mitigate risks [by implementing your action plan].

7.   Prevent breaches with eduction and training of your workforce.

8.   Communicate with patients about the confidentiality and security of their protected health information.

9.   Update business associate agreements [to include HITECH Act Breach Notification requirements].

10. Attest for the Security Risk Analysis Meaningful Use Objective.

The Stage 1 Meaningful Use Core Objective and Measure 15 are:

Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  [The Stage 1 technical capabilities relate to: access control, emergency access,automatic log-off, audit log, integrity, authentication, general encryption, encryption with when exchanging electronic health information, accounting of disclosures (optional)].

Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 160.308(a)(1) [HIPAA Administrative Safeguard Standard:  Security Management Process] and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Attestation, Core Measure 15 (Yes or No Response): Have you conducted or reviewed a security risk analysis per 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of your risk management process?

“Providers …can only attest after they have met the meaningful use requirements for an EHR reporting period.  Only attest for an EHR incentive program, after you have fulfilled the security risk analysis requirements and have documented your efforts. …  “When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.” CMS attestation Audits began in Summer 2012.

Chapter 3 of ONC’s Guide to Privacy and Security of Health Information: 10 Step Plan for Meeting Privacy and Security Portions of Meaningful Use concludes (p.26):  “If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim.  From this perspective, consider implementing multiple security measures as feasible, prior to attesting.  The priority would be mitigating high-impact and high-likelihood risks.”

In addition to the Meaningful Use Audit program as it pertains to the Stage 1 Core Objectives, including security, under auspices of CMS, also be aware of the HIPAA Privacy & Security Audit Program conducted under auspices of the Office for Civil Rights (OCR) of the Department of Health and Human Services, which HIPAA.com has discussed in earlier postings. HIPAA.com noted at the beginning that ONC recommends giving yourself at least 90 days to conduct security compliance activities as they pertain to attestation, and even longer to meet HIPAA privacy, security, and breach notification implementation specifications as well.  Take this new climate of privacy and security enforcement and increased probability of audit of risk analysis, policies and procedures, and workforce training seriously.  [20121204]

Tags: access controlaccounting of disclosuresAdministrative Safeguard StandardAdoption and Meaningful Use of Certified electronic health record technologyattestationauditaudit logauthenticationautomatic log-offbreachBreach Notificationbusiness associate agreementbusiness liabilityCenters for Medicare & Medicaid ServicesCMSconfidentialityCore Measure 15core objectivecovered entityDEPARTMENT OF HEALTH AND HUMAN SERVICESEHRelectronic health recordelectronic protected health informationelectronic systemseligible professionalemergency accessencryptionEPfalse claimHIPAA Privacy & Security Audit ProgramHITECH ActintegrityMeaningful UseMedicare and Medicaid Financial Incentive ProgrammitigateOCROffice for Civl RightsOffice of the National Coordinator for Health Information TechnologyONCpolicies and proceduresPrivacy & Security 10-Step PlanPrivacy OfficialSecurity Management ProcessSecurity Officialsecurity risk analysisthreatsTrainingTweetvulnerabilitiesworkforce
No Comments
Share
0

You also might be interested in

Exploring HIPAA and HITECH Act Definitions: Part 2

Oct 27, 2009

From now through November, HIPAA.com is providing a run through[...]

HHS’ ONC Releases Proposed Rule for Temporary and Permanent HIT Certification Programs

Mar 22, 2010

On Wednesday, March 10, 2010, the Office of the National[...]

Word of the Day: EHR

Apr 15, 2009

Electronic health record (EHR): A secure, real-time, interoperable point-of-care, patient-centric[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next