(Editor’s Note: For the Stage 2 Rules effective 10/16/2015, the Privacy and Security Objective is now Objective #1)
Eagle Consulting Partners is working with three clients, participants in the Medicare Meaningful Use program, to assist them with responses to meaningful use audits. All of these audits began during the last 30 days. These audits were conducted by CMS contractor Figliozzi & Company, an audit and accounting firm located in New York City. Please note that these audits continue to evolve as CMS and Figliozzi learn about compliance and non-compliance. Also, note that not all audits are identical.
All of these audits included the exact request regarding the Privacy and Security Objective:
Core Measure #14 – Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.
What may be useful is to review also the Meaningful Use Objective:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
An appropriate response will include:
- The most recent risk analysis. Many participants in this program are still not aware that the Meaningful Use program (both Stage 1 and Stage 2) requires that a risk analysis be created, or updated, during each year of program participation. Our interpretation is that the program requires that the risk analysis be dated in the period 12 months prior to the end of the reporting period.The report needs to include a description of the methodology used. Note that the HIPAA regulations do not mandate a specific methodology. The methodology chosen, in our opinion, must fully address the objectives of the HIPAA Security Rule; that is, protecting the Confidentiality, Integrity and Availability of the protected health information. Eagle Consulting uses the NIST SP 800-30 methodology, which is specified in the preamble of the original HIPAA Security Rule as an acceptable methodology.The report must include the results. The HIPAA Security rule specifies that the risk analysis must be “thorough and accurate” so this will be a multi-page document. How many pages? There is no right answer, but consider that the recent Security Risk Analysis Tool provided by the federal government to help covered entities understand the risk analysis process included 156 questions so if the process included all of these results, say for a hospital, the report could be 50 to 100 pages or more. A small physician practice report could use a simplified methodology and might be 10 to 30 pages.These results should include prioritized corrective action recommendations, which would serve as the basis for a remediation or “implementation plan”.
- “Implementation Plan” showing completion dates. Figliozzi uses the term “implementation plan” while practitioners might call this a “remediation plan” or “corrective action plan”. Whatever the name or title of the report, the auditors are looking for some documentation that the recommendations supplied in the risk analysis report were acted upon. This documentation (which could be a tabular status report) would include the recommendations, comments on any action taken, and the status (e.g. complete, in-process, rejected). It is important to note that in real life a covered entity will not implement 100% of the recommendations provided in a risk analysis. In fact, the purpose of a good risk analysis is to prioritize corrective actions so that given the reality of limited budgets, the most important and cost effective actions can be implemented first. Eagle recommends that this report be concise.
What is new here from prior audits is that Figliozzi is now requiring the Implementation Plan. This is because the Meaningful Use Objective requires that “implement security updates as necessary and correct identified security deficiencies as part of its risk management process”. In other words, it is not sufficient to get the risk analysis and ignore the results. Legitimate actions must be taken in order to fully comply with the Meaningful Use objective.
What are the take-aways? For most organizations, except for the most sophisticated ones, outside expert help is recommended both to complete the risk analysis and to assist with the ongoing project management and completion of corrective action items.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
