CMS has released the Meaningful Use Stage 2 Proposed Rule. This notice of proposed rulemaking (NPRM) details the requirements for meaningful use stage 2 and is set to be published in the Federal Register March 7, with a 60-day comment period. Guess what? Risk Analysis (per 45 CFR 164.308(a)(1)(ii)(A) is not going away. Here’s today’s big tip — Get with it; learn the requirements; get ‘er done!
Following is a excerpt from Medicare and Medicaid Programs; Electronic Health Record Incentive Program-Meaningful Use Stage 2 Requirements. Well I’ll be darned, that encryption thing has cropped up again…along with Risk Analysis … again…
Proposed Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.
Protecting electronic health information is essential to all other aspects of meaningful use. Unintended and/or unlawful disclosures of personal health information could diminish consumers’ confidence in EHRs and electronic health information exchange. Ensuring that health information is adequately protected and secured will assist in addressing the unique risks and challenges that may be presented by electronic health records.
Proposed Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
This measure is the same as in Stage 1 except that we specifically address the encryption/security of data is that is stored in Certified EHR Technology (data at rest). Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure. We do not propose to change the HIPAA Security Rule requirements, or require any more than would be required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.
We propose this measure because the implementation of Certified EHR Technology has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process. We emphasize that our discussion of this measure and 45 CFR 164.308(a)(1) is only relevant for purposes of the meaningful use requirements and is not intended to supersede what is separately required under HIPAA and other rulemaking. Compliance with the HIPAA requirements is outside of the scope of this rulemaking. Compliance with 42 CFR Part 2 and State mental health privacy and confidentiality laws is also outside the scope of this rulemaking. EPs, eligible hospitals or CAH affected by 42 CFR Part 2 should consult with the Substance Abuse and Mental Health Services Administration (SAMHSA) or State authorities.
(b) Objectives and Measures Carried Over (Modified or Unmodified) from Stage 1 Menu Set to Stage 2 Core Set
We signaled our intent in the Stage 1 final rule to move the objectives from the Stage 1 menu set to the Stage 2 core set. The HIT Policy Committee also recommended that we move all of these objectives to the core set for Stage 2. We propose to include in the Stage 2 core set all of the objectives and associated measures from the Stage 1 menu set, except for the objective “capability to submit electronic syndromic surveillance data to public health agencies” for EPs, which would remain in the menu set for Stage 2. As discussed later, we also propose to modify and combine some of these objectives and associated measures for Stage 2.
Clearwater Compliance has developed the most sophisticated, formalized HIPAA Security Risk Analysis™ solution on the market today. Check it out jump-start your security compliance program, make more informed risk management decisions or honorably meet Meaningful Use Stage 1 and Stage 2 Attestation requirements.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017