Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security risk analysis is a core objective in the meaningful use requirements of the Medicare and Medicaid electronic health record (“EHR”) incentive programs. These security risk analyses have been a hot topic with our clients and other health care providers recently, and there are lots of questions, especially about when to perform the analyses.
Health care providers are curious whether a security risk analysis must be completed in both Stage 1 and again in Stage 2 of meaningful use? Yes. Health care providers must conduct or review a security risk analysis in both Stage 1 and Stage 2 of meaningful use to ensure the privacy and security of their patients’ protected health information. The Centers for Medicare & Medicaid Services (CMS) updated its frequently asked questions on November 5, 2014 to provide additional guidance regarding security risk analyses. FAQ #10754 responds:
To meet the “Protect Electronic Health Information” core objective for Stage 1, eligible professionals (EP), eligible hospitals or critical access hospitals (CAH) must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
In Stage 2, in addition to meeting the same security risk analysis requirements as Stage 1, EPs and hospitals will also need to address the encryption and security of data stored in the certified EHR technology (CEHRT).
Another frequent question is, “When do providers need to complete the security risk analysis?” The security risk analysis does not have to be completed only during the reporting period; rather, it can be completed any time between the start of the EHR reporting year and before the provider submits its attestation. And, remember, in November 2014, CMS announced a one-month extension of the deadline for eligible hospitals and critical access hospitals to attest to meaningful use for the Medicare EHR Incentive Program 2014 reporting year. So hospitals and critical access hospitals will have until December 31, 2014 to complete or review their security risk analyses and then to submit their attestations for this EHR reporting year.
Sometimes the question is, “If I did this last year, then do I need to do it again this year?” And the answer is, “Yes, the security risk analysis must be completed each year, prior to attestation.” Sometimes it is appropriate to simply review last year’s risk analysis instead of conducting a new one in full. A complete security risk analysis should be conducted the first year or when a new EHR is adopted or if there are significant changes to the EHR or security practices. Reviewing and updating a complete analysis is appropriate in other years.
Providers also question whether this risk analysis satisfies obligations under the Health Insurance Portability & Accountability (HIPAA) Security Rule, 45 CFR § 164.308(a)(1)(ii)(A), to conduct an analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI. In the updated FAQ, CMS makes clear that the risk analysis under the EHR incentive program “complements but does not impose new or expanded requirements on the HIPAA Security Rule.”
Finally, providers want to know what to do once they complete the security risk analysis. Providers must then manage identified risks by taking reasonable steps to implement needed security updates and correct high priority threats and vulnerabilities. Not only are performing a security risk analysis and managing identified risks required by both the HIPAA Security Rule and the EHR Incentive Programs, but performing these steps might help prevent data breaches. The Department of Health and Human Services, Office for Civil Rights (OCR) announced in December 2014 a settlement with Anchorage Community Mental Health Services (“ACMHS”) regarding a data breach of unsecured ePHI caused by malware. OCR criticized ACMHS for not following ACMHS’ own security policies and procedures, for not regularly updating software when patches become available, and for operating outdated and unsupported software. Most importantly, OCR criticized ACMHS for not performing a security risk analysis, noting that a security risk analysis would have identified these risks.