Risk Assessments for Meaningful Use – Physician Practices
Eagle Consulting Partners provides a comprehensive computer security risk analysis, fully consistent with the requirements of the HIPAA Security regulations as required in 45 CFR 164.308(a)(1).
For this risk analysis, Eagle uses the methodology specified in NIST SP 800-30, which is the only approach explicitly mentioned in the HIPAA Security rule as an appropriate.
For smaller practices, this risk analysis can be conducted remotely. For larger practices, an on-site review is recommended.
This assessment is required by Stage 2 Meaningful Use, for the Privacy and Security Objective #1. (For Stage 1, this was Objective 15 in Stage 1 initially, became Objective #14 after April 2013. For Stage 2, the objective was slightly modified and was Core Measure#9 prior to its renumbering to #1 in October 2015.)
The Meaningful Use requirement also discusses a Security Management Process. Simply put, the “Security Management Process” consists of the following: A) Conduct a risk analysis, B) Implement security fixes to correct deficiencies, and C) Repeat. To fulfill the Meaningful Use requirement, you must do both A and B.
The EHR software your purchased, and its “Meaningful Use Dashboard” shows no details about this objective since the software has no way of knowing if you meet the requirements of this objective.
For more information regarding the risk analysis and the HIPAA requirements, see posts Achieving Meaningful Use Stage 1 for Privacy and Security and 45 CFR 164.308(a)(1), 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3) Explained.
By choosing Eagle’s service, physicians can attest with confidence, without worry in the event that the physician is selected for a government meaningful use audit.
Eagle has a long experience in successful risk assessment and solutions for physician’s practices.
Your Eagle risk analysis involves the following steps:
1) Identify all computer hardware, software and patient data (PHI). This involves quantifying the location, type and quantity of patient data.
2) Evaluate technical security capabilities in place, such as passwords, encryption, firewalls and audit logging. This is usually based on interviews with computer support personnel whether they be outside contractors of in-house employees. For larger practices and networks, a technical vulnerability scan can be performed.
3) Review administrative processes in place, such as employee background checks, employee termination procedures and employee discipline. This is accomplished through interviews with the office manager or practice administrator, and through a review of written policies and procedures.
4) Prepare risk analysis report, which includes commentary regarding all of the 42 HIPAA Security implementation specifications and corresponding risk levels based on security measures that are in place. Included in the risk analysis report will be prioritized corrective action recommendations.