Each of the three previous posts in this series addressed a different aspect of security: information security principles, HIPAA changes in the HITECH Act, and the components of the HIPAA security rule.
The subject of this post is meaningful use objective 15, which states:
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
What are the requirements of 45 CFR 164.308 (a)(1)? Fortunately, the Centers for Medicare and Medicaid Services (CMS) has produced a series of documents aimed at making the security rule comprehensible to regular folks. Two documents, “Basics of Risk Analysis and Risk Management” and “Guidance on Risk Analysis Requirements under the HIPAA Security Rule,” provide detailed guidance on meeting the requirements of MU objective 15.
Page 18 of the first document provides a matrix of security standards. Reviewing the matrix, one finds that Section 164.308 (a)(1) appears as the security process management standard in the administrative safeguard category. It is comprised of four required implementation specifications: risk analysis, risk management, sanction policy, and an information system activity review.
Remember, the goal of the security rule is to maintain the confidentiality, integrity, and availability of protected health information (PHI). If one has an important asset to protect, the first step is to figure out how that asset might be lost or compromised. This is what risk analysis is all about. A risk analysis starts with a detailed search for vulnerabilities (security weaknesses) that could enable the loss or compromise of PHI. Next, threats (anyone or anything that could take advantage of vulnerability) are identified, and finally a determination is made of the likelihood (risk) that a threat will make use of the vulnerability. The CMS documents mentioned above provide information on risk analysis for small practices.
Once vulnerabilities, threats, and risks have been identified and assessed, the next step is to create a plan for dealing with them. The implementation specifications for administrative, physical, and technical safeguards provide guidance in determining what risk management plans should include. Here is a HHS guide created specifically for small practices.
Proper security management requires policies and procedures that clearly outline expected behavior and forbidden practices. The sanction policy details the steps that will be taken when security policies and procedures are not followed. It is a good idea to include examples of violations and descriptions of potential disciplinary actions so that employees clearly understand what is expected and how improper activity will be handled.
Information System Activity Review
This implementation specification requires a review of information system usage such as audit logs and access reports. Certified EHRs are required to capture and provide reports that meet this specification (along with other security requirements). If one uses “certified EHR technology,” this is the easiest part of the security process management standard.
In brief, that is what meaningful use objective 15 requires. In essence, it reconfirms the need for covered entities to comply with the security rule if they use, store, or transmit electronic protected health information.
The security rule, like most federal regulations, can be difficult to understand. I hope this series of posts has made information security a little more approachable and the security rule less daunting.
Below is a list of documents from HHS that offer clear, detailed explanations of the security rule. They should help those who wish to delve further into this topic.
I hope this series has been helpful and thanks for stopping by.
EHR Science Security Series
Information Security: A Practical Guide
Be Warned, Now HIPAA Has Teeth
The HIPAA Security Rule: Components and Compliance
Health and Human Service Documents
Security 101 for Covered Entities
Organizational, Policies and Procedures and Documentation Requirements
Basics of Risk Analysis and Risk Management
Security Standards: Implementation for the Small Provider
Cybersecurity: 10 Best Practices For The Small Healthcare Environment