Meaningful Use and Risk Analysis
In order to qualify for Meaningful Use incentives CMS identified a core set of 14 Meaningful Use objectives in which eligible hospitals (EH) and 15 core Meaningful Use objectives in which eligible professionals (EP) need to focus to qualify for incentive funds provided through the new CMS Medicare and Medicaid incentive program. Additionally, EHs and EPs must also focus on five of 10 menu set objectives to quality for incentive funds.
An Eligible Hospital (EP) must attest to all 14 Core Measures of the Meaningful Use Stage 1 requirements in order to qualify for stimulus money. Core Measure #14 requires that organizations complete a series of activities, both initial and follow-on. It is important to note that there is no exclusion from Core Measure #14, that is, it is not an optional or excludable component of the attestation. Eligible professionals (EPs) must attest Yes to having conducted or reviewed a risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. It is worth noting that Stage 2's requirements continue to reinforce the importance of Privacy and Security by requiring encryption. All providers must achieve meaningful use under the Stage 1 criteria before moving to Stage 2.
The area of risk analysis is one that organizations must ensure that they are taking into consideration. Without undergoing this process and then using the outcomes to change use of controls and modifications within policies and procedures, organizations will not qualify for the Meaningful Use incentives. According to the 3rd Annual HIMSS Security Survey(1), at present, one-quarter of the sample population would not qualify for Meaningful Use as a result of this area. Additionally, many organizations that did report performing a risk analysis indicated that they performed one only once every two years or less often. This schedule is not sufficient to identify risky behavior or gaps in security controls.
The results also show that medical practices are not as advanced in many of the areas for security data, when compared to hospitals. For instance, they are less likely to report conducting a formal risk analysis, they are less likely to have many of the security tools in place and they are less likely to analyze data from their audit logs. One issue that may explain this is a potential lack of IT staff at medical practices, leaving the security function to others who simply do not have the expertise and background to negotiate the complex issues surrounding the privacy and security of data. One approach to bridging this gap may be the use of external resources, such as consultants. Indeed, the respondents representing medical practices in this study were much more likely to report that they relied on external resources when compared to those working for a hospital.
RISC Management and Consulting can assist organizations including medical practices and hospitals alike in performing a risk analysis, understanding the results, determining appropriate remediation steps, and managing security functions on an ongoing basis. RISC was founded by individuals with an extensive healthcare background so we understand your business and the unique challenges it presents! Contact us to find out how we can assist you.
For more information, please see this release from the eHR Incentive Program.