Recently, the Office of the National Coordinator for Health Information Technology recommended that medical practices identify a privacy and security officer in order(to conduct a security risk analysis), as part of a 10 step plan to protect PHI. Many believe that this suggestion was spurred by the fact that more practices are adopting EMRs without having the appropriate IT knowledge to implement and maintain security provisions. HIPAA already requires that any “covered entity” identify both a privacy and security officer (can be the same individual), but many small practices lack the resources to hire an experienced IT person to fill these roles. Thus, performing a thorough privacy/security risk analysis/assessment is frequently the best way to discover security weaknesses in your practice.
Those who have already attested for Meaningful Use are undoubtedly familiar with the Core Measure: Conduct a Risk Analysis. Unfortunately, the CMS gave no clear guidelines about what a proper “risk analysis” entails. According to a recent article by Lynn Scheps on the blog site EMRandHIPAA.com, this ambiguity left some practices so anxious that they began hiring consultants to perform their risk assessments, while others simply assumed they had already met all MU requirements because their EMR was certified by the ONC. Later, the CMS clarified that their requirements were not designed to exceed those of HIPAA on the subject of risk assessment.
HIPAA describes a security risk analysis as “the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.”. It (under the security rule) admits that there are numerous ways of conducting a risk analysis, but identifies several universal elements that are required for compliance. These can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html, and are fairly straightforward.
The ONC’s 10 step privacy and security program contains guidelines on risk analysis for Meaningful Use . They recommend that practices contact their local Regional Extension Centers or medical associations for help and advice about conducting a risk assessment. You may also visit http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy_and_security/1147 for more security resources. Stay tuned for specific examples of risk assessments in part 2 of this blog.