There are several meaningful use objectives within the CMS EHR incentive program that may not be crystal clear. One of the foggiest, from my vantage point, is what I call the Privacy and Security objective. It is the lone Stage 1 meaningful use objective classified within the Health Outcomes Policy Priority labeled “Ensuring adequate privacy and security protections for personal health information.” As a core measure, and one without exclusion criteria, this objective must be met by all successful meaningful users.
What is the measure for this meaningful use objective? Quoting from the final rule, this measure requires the physician to “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.” You’re probably thinking, What the heck is 45 CFR 164.308(a)(1)? As it turns out, this is part of the HIPAA Security Rule. Most of you know HIPAA has been around since 1996 and the Security Rule in particular dates to 2003. In my experience nephrologists and the practices they operate in every day display a wide range of understanding of the complexities of the HIPAA Privacy and Security rules. As a disclaimer, I would like to state that I am neither an attorney nor a Privacy and Security expert. Having said that, let’s take a deeper dive into this objective.
The CFR (Code of Federal Regulations) sited within this objective is summarized below:
§ 164.308 Administrative safeguards.
A. A covered entity must, in
accordance with § 164.306:
(1)(i) Standard: Security management
process. Implement policies and
procedures to prevent, detect, contain,
and correct security violations.
(ii) Implementation specifications:
A. Risk analysis (Required). Conduct
an accurate and thorough assessment of
the potential risks and vulnerabilities to
the confidentiality, integrity, and
availability of electronic protected
health information held by the covered
B. Risk management (Required).
Implement security measures sufficient
to reduce risks and vulnerabilities to a
reasonable and appropriate level to
comply with § 164.306(a).
C. Sanction policy (Required). Apply
appropriate sanctions against workforce
members who fail to comply with the
security policies and procedures of the
D. Information system activity review
(Required). Implement procedures to
regularly review records of information
system activity, such as audit logs,
access reports, and security incident
Remember that the meaningful use objective states the provider will conduct a security risk analysis and implement security updates and correct identified security deficiencies as part of its risk management strategy. That sounds a lot like parts (A) and (B) above.
The interesting thing about this objective is that the Office for Civil Rights (OCR)—the branch of Health and Human Services charged with enforcing the HIPAA privacy and security rules—has set the expectation that physician practices are already in compliance with this CFR today. To be considered a meaningful user of your certified EHR you will now be required to attest to the fact that you are in compliance with this component of the HIPAA Security rule.
For those of you who actually have a security risk analysis plan in place, make sure it is not simply a policy sitting on a shelf in your office collecting dust. Shake the thing off and put it to use. As much as we like to complain about HIPAA, taking the time to think about where your patients’ privacy might be exposed within your practice and contemplating a strategy to mitigate a perceived risk is truly a valuable use of your time. For those of you late to this table, spend some time with the appropriate personnel within your office and develop a plan. In my opinion this does not require hiring an expensive consultant. In fact there are several useful resources in the public domain. A couple of my favorites include this summary from the Office for Civil Rights and the Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices (PDF) from the Office of the National Coordinator.
The privacy and security of patient health information is one of the foundational pillars of health information technology. Every certified EHR provides the tools necessary to protect this information. The challenge for the practice is ensuring the tools are used properly. EHR vendors cannot prevent your staff from sharing passwords or remind your partners that laptops containing PHI at rest should be locked in the trunk of the car, not left exposed in the front seat. Although HIPAA may be the most despised acronym in all of medicine, we owe it to our patients to protect their health information.