Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
The Physician Meaningful Use Program for Medicare was terminated on December 31, 2016, and was replaced by the “Advancing Care Information” performance category of the MIPS program. Advancing Care Information retains the important “Protecting Patient Health Information” Objective. A key change for 2017 is that the deadline for completing the Security Risk Analysis (a.k.a. security risk assessment) is December 31, 2017. (Note that the Medicaid Physician Meaningful Use Program, and both the Medicare and Medicaid Hospital Meaningful Use Programs remain, and the earlier deadline for the SRA also applies.)
Protecting Patient Health Information Objective
The Protecting Patient Health Information objective for Advancing Care Information states:
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.
This reference to 45 CFR points directly to the HIPAA Security Rule. This means that the practice must complete a Security Risk Analysis that addresses the security of information within the CEHRT the practice is using. It also references implementing security updates to correct deficiencies. Note that the the Security Risk Analysis for this objective doesn’t necessarily have to address the security of other ePHI in the practice (e.g. diagnostic equipment or other applications such as lab software or billing software). A practice which hasn’t recently completed a full scope Security Risk Analysis should still complete one periodically, as often as necessary, as changes occur in the technology landscape.
A critical change this year is that this year the Security Risk Analysis and remediation must be completed before the end of the calendar year. In the past, it this objective only needed to be completed prior to attestation, which gave some practices a little extra leeway to complete it. Practices are advised to arrange for their Security Risk Analysis as early as possible to avoid missing the deadline!
What is required for Protecting Patient Health Information?
In short here is what needs to be completed for the Protecting Patient Health Information Objective for Advancing Care Information.
- Conduct or review a Security Risk Analysis for the security of ePHI contained within the CEHRT.
- Addresses physical, technical, and administrative safeguards
- Completed each for performance year before 12/31
- Completed during the performance year, but not necessarily within the reporting period
- Corrective Action
- Address security deficiencies (the objective only requires progress in improving the organization’s security posture)
- Maintain records of corrective actions
- Periodically review progress towards risk mitigation
For more information about the Security Risk Analysis, please see prior blog posts at Topic: HIPAA Security Risk Analysis