CMS has released the Meaningful Use Stage 2 Proposed Rule.  This notice of proposed rulemaking (NPRM) details the requirements for meaningful use stage 2 and is set to be published in the Federal Register March 7, with a 60-day comment period.  Guess what?  Risk Analysis (per 45 CFR 164.308(a)(1)(ii)(A) is not going away.  Here’s today’s big tip — Get with it; learn the requirements; get ‘er done! 

business associate risk - weak link in chain

Following is a excerpt from Medicare and Medicaid Programs; Electronic Health Record Incentive Program-Meaningful Use Stage 2 Requirements.  Well I’ll be darned, that encryption thing has cropped up again…along with Risk Analysis … again…

Proposed Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.

Protecting electronic health information is essential to all other aspects of meaningful use. Unintended and/or unlawful disclosures of personal health information could diminish consumers’ confidence in EHRs and electronic health information exchange. Ensuring that health information is adequately protected and secured will assist in addressing the unique risks and challenges that may be presented by electronic health records.

Proposed Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

This measure is the same as in Stage 1 except that we specifically address the encryption/security of data is that is stored in Certified EHR Technology (data at rest). Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure. We do not propose to change the HIPAA Security Rule requirements, or require any more than would be required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.

We propose this measure because the implementation of Certified EHR Technology has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process. We emphasize that our discussion of this measure and 45 CFR 164.308(a)(1) is only relevant for purposes of the meaningful use requirements and is not intended to supersede what is separately required under HIPAA and other rulemaking. Compliance with the HIPAA requirements is outside of the scope of this rulemaking. Compliance with 42 CFR Part 2 and State mental health privacy and confidentiality laws is also outside the scope of this rulemaking. EPs, eligible hospitals or CAH affected by 42 CFR Part 2 should consult with the Substance Abuse and Mental Health Services Administration (SAMHSA) or State authorities.

(b) Objectives and Measures Carried Over (Modified or Unmodified) from Stage 1 Menu Set to Stage 2 Core Set

We signaled our intent in the Stage 1 final rule to move the objectives from the Stage 1 menu set to the Stage 2 core set. The HIT Policy Committee also recommended that we move all of these objectives to the core set for Stage 2. We propose to include in the Stage 2 core set all of the objectives and associated measures from the Stage 1 menu set, except for the objective “capability to submit electronic syndromic surveillance data to public health agencies” for EPs, which would remain in the menu set for Stage 2. As discussed later, we also propose to modify and combine some of these objectives and associated measures for Stage 2.

Clearwater Compliance has developed the most sophisticated, formalized HIPAA Security Risk Analysis™ solution on the market today.   Check it out jump-start your security compliance program, make more informed risk management decisions or honorably meet Meaningful Use Stage 1 and Stage 2 Attestation requirements.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Understanding the Importance of Conducting a Comprehensive Risk AnalysisHIPAA Security Risk Analysis Tips – Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.