Performing a security risk analysis in your practice is a core objective requirement of Meaningful Use. Even if you're using an EHR software in your practice, but not participating in Meaningful Use, it's required and important to keep your patients' information safe. So, conducting a risk analysis is in your best interest. Risk analysis requires you to look at the way your practice operates and protects patient health information.
The security risk assessment is a requirement of both Stage 1 and Stage 2 of Meaningful Use. In Stage 1, eligible professionals must conduct or review a security risk analysis and implement security updates as necessary and correct any deficiencies as part of the risk management process. In Stage 2, eligible professionals need to meet the same requirements as in Stage 1, but must also address the encryption security of data at rest.
Depending on the size of your practice and resources, some practices may choose to outsource their risk analysis, while others might choose to perform the assessment on their own. There are many ways risk analysis of your practice can be performed, so it's important to develop a plan before you dive in. Below we'll take a look at the physical, administrative, technical, policy, and organizational safety requirements that you should be looking at when performing a risk analysis. The CMS website is a great resource for anything related to HIPAA and Meaningful Use, so we highly recommend you check out their tip sheet if you have further questions!
What to Review when Performing a Risk Analysis of Your EHR Software
1. Physical Safety
When it comes to the physical safety of your patients' information in your practice you need to take a look at the building your office is located, computer equipment, and portable devices that you might be accessing the system from. Some things you might want to put into place are building alarm systems, sprinkler systems, locked offices, and privacy screens that shield information from other people in the office.
2. Administrative Safety
In your office it's important to have one person designated as a "security officer" who oversees employee training, controls information access, monitors user activities, and routinely performs risk assessment for your practice.
3. Technical Safety
Here is where things can get a little tricky and technical if you don't have a strong IT background, and where you might want to hire an IT professional to assess your technical security. If you're using a cloud-based EHR some of these things like data encryption and back ups might be handled by the vendor. But, your vendor can't do it all, and there are some things you'll need to do on your own in your practice such as having strong passwords to control access to the system, and using audit logs helps monitor users and EHR activities.
4. Office Policies
Office policies help to make sure that everyone in your office is on the same page and aware of what they need to do to ensure HIPAA compliance. Keeping documentation of security measures in your office will also be helpful in the event of a Meaningful Use audit.
5. Organizational Requirements
If you're using other software that integrates or works with your EHR software it's important to have business agreements in place. You should also have a plan for identifying and managing other vendors who access, create, or store your patient information.
There's a lot to consider when going through a risk assessment with your practice, but with the resources that the CMS has available to help you through your Meaningful Use journey you should be well on your way. Here's a few resources that we think are worth checking out:
- Guide to Privacy and Security of Health Information
- Eligible Professional Core Measure 9 of 17: Protect Electronic Health Information
- Risk Assessment and HIPAA Security Compliance Starting Points
If you want to get all the latest Meaningful Use and practice management and EHR software news, stay subscribed to our blog!