(Editor’s Note: The scope of the Security Risk Analysis for Meaningful Use Stages 2 and 3 has changed. As a companion to this post, readers seeking guidance regarding Stage 2 or Stage 3 should also consult Meaningful Use and the Evolution of the Privacy and Security Objective.)
Meaningful Use season is in full swing and hospitals and physician practices are applying for the HITECH Act-authorized Medicare EHR incentive payments. The measure for the Privacy and Security objective, for both hospitals and physicians, states “conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” But what does this mean? What must a hospital or medical practice do before attesting to compliance with this objective? Will your understanding be the same as the expectation of the OIG inspector during an audit of your meaningful use payment? Will you be audited?
The attached graphic, “The Stage 1 Meaningful Use Requirement for Privacy and Security References HIPAA Security“, is the starting point to understand this 27 word objective. This graphic includes the exact language of the meaningful use objective with cross-references to the HIPAA Security rule language.
First, a security risk analysis must be performed. In the event that the hospital or practice has conducted a risk assessment in the last year or so, it may simply “review” the risk analysis to confirm that issues raised have been addressed. Otherwise, the risk analysis must be performed:
- There are multiple methodologies for performing a security risk analysis. These include NIST 800-30, the Carnegie Mellon OCTAVE Method, the Jack Jones FAIR Method and others. The regulation does not require a specific methodology. However, guidance published by HHS indicates that NIST 800-30 is an acceptable method.
- Even an experienced computer person without an information security background will be overwhelmed by any of these methodologies which in general are geared for large organizations. The analysis must be “accurate and thorough”. Unfortunately, there is no readily available statistical data, so the quantification of risk is subjective. These subjective estimates improve when the analysis is performed by an individual with real-world knowledge of the extent of security breaches, current knowledge of outsider threats, an understanding of actors in cybercrime, and awareness of their attack methods and common vulnerabilities. Understanding of other threats, including insiders, Acts of God, and hardware failure are also essential. Contracting with an appropriately qualified computer security professional will provide the best results.
The results should be documented.
- In general, for compliance with HIPAA regulations any assessment or report should be documented in writing (see 164.316 for the documentation requirements).
- Therefore, the hospital or practice should receive a written copy of its risk assessment. In general, HIPAA documentation should be retained for 6 years.
- While hospitals are likely to have a 6 year history of compliance with HIPAA Security, many or most medical practices have never seriously attempted to implement the HIPAA security regulations. So, when a “thorough and accurate” risk analysis is performed for a typical medical practice, it will often identify that many of the 42 security controls specified by the regulation are missing, and that no written policies and procedures are in place. A legitimate risk analysis will identify this compliance shortfall and include prioritized recommendations that these controls be implemented.
The hospital or practice must evaluate and act on the results. In order to “implement security updates as necessary” and to “correct identified security deficiencies” the requirements for hospitals and physician practices will vary:
- Policies and Procedures. The vast majority of hospitals have the required HIPAA Security policies and procedures. For many physician practices, and some small hospitals, one of the first security deficiencies to correct is the absence of written HIPAA Security Policies and procedures. Numerous resources, including complete sets of boilerplate policies and procedures, are available from many sources, including this author. Any boilerplate policies will require customization.
- Addressable Items. For practices new to HIPAA Security, a written document identifying any “addressable” items that are not applicable must be prepared and retained.
- Remediation Plan. A typical remediation plan will include a dozen or more activities which should be sequenced in priority order. A strict and literal reading of the Stage 1 Meaningful Use Measure might conclude that this implementation plan must be complete prior to signing the attestation. This author judges that a well-intentioned practice or hospital could make the attestation upon completion of the policies and procedures above, and preparation of this remediation plan.
- Active Security Management Process. The HIPAA Security Regulations require a never-ending “security management process” which consists of ongoing risk management activities and other steps. The risk analysis has produced a prioritized risk management plan, or “remediation plan” – and the hospital or practice is expected to implement this Remediation plan. This author judges that in most cases it will often be defensible to spread these activities over a 12 month period or so.
- Audit Defense. The HHS Office of the Inspector General (OIG) has announced in their 2011 Work Plan that they “will review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments (e.g., those not meeting meaningful use criteria).” In the event that the hospital or practice is audited by the OIG, a complete compliance file including the written risk assessment, any list of addressable items, the organization’s written policies and procedures, the remediation plan, and documentation of work on the remediation plan should provide solid evidence of compliance. (Editor’s Note 11/4/2015: The OIG is again looking at Meaningful Use. See 2016 OIG Work Plan includes HIPAA and Meaningful Use Items)