The announcement of Meaningful Use Stage 2 came and went. Journalists were all over it, asking questions about what some of the rules may mean for physicians and hospitals trying to nab interviews.
One of the questions many of us have been asking is whether Meaningful Use will add to HIPAA requirements when many of which are strenuous enough to abide by already.
This is the second installment of PYP’s What the ONC Didn’t Discuss series. Hope you enjoy it.
It’s a Security Thing
The Meaningful Use measure #15 reads: “Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
The main question here is the following: is there a difference between the HIPAA and Meaningful Use security risk analyses?
Not much. Thinking they’re separate processes is a pretty common misconception, actually. And it should seem obvious, seeing as they have the same name and everything.
However, since Meaningful Use is associated with a barrage of new rules and requirements, it’s likely the idea was perpetuated as a result of exaggerated fears and Stage 1 and 2 critics.
Why enforce a security risk analysis requirement in the first place? Rob Anthony of CMS’s Office of E-Health Standards and Services told Search Health IT that both the ONC and CMS “wanted to see [security risk analyses] happen more frequently” to ensure EHR transitions and workflow implementations are moving smoothly.
This leads to frequency, the key difference between the Meaningful Use and HIPAA security requirements. The requirement for security analyses under the EHR incentive program means yearly assessments, as opposed to biannually for HIPAA.
It’s largely owed to the switch to EHRs – it’s important to ensure providers keep the privacy and security of patient information in mind.
In other words, the Meaningful Use security requirement should be seen as a way to spot threats to the protection of electronic health information, meaning it will likely bring value to your practice.
Quick tip: ask your EHR vendor if they have a template available with checklists, sample questions, and guidance with security risk analyses. Yes, your practice will have to perform the analysis on your own – as well as any corrective actions, as deemed needed – but it can be a simple and inexpensive process if you’re prepared.
What other questions do you have regarding security risk analyses?
Interested in learning about more things the ONC kind of/sort of left out, check out Part 1 of our series here!
The material and information contained on this website is for general information purposes only. You should not solely rely upon the material or information on the website as a basis for making any business, legal, medical, or any other decisions. While we endeavor to keep all information up-to-date and correct, all information in this site is provided "as is," and CareCloud Corporation and MTBC Inc. make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the information contained on the website for any purpose. Any reliance you place on such material is therefore strictly at your own risk.
