This blog is a detailed, yet brief look at the HIPAA Security call-out in the CMS Meaningful Use Incentive Program and the HIPAA Security standard(s) associated with the call-out.
When you see the wording in the Meaningful Use Core Objectives that references HIPAA Security, you may experience sticker-shock. The Meaningful Use Core Objective states,
“…Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process…”
When you address this, be sure to keep the right perspective – 45 CFR 164.308(a)(1) is just one standard within one category of the HIPAA Security Rule. This perspective is crucial when your IT resources may already be stretched to the maximum!
45 CFR 164.308(a)(1) is the Security Management Process standard, and it applies to every piece of your IT infrastructure that generates, stores, or maintains ePHI. There are 4 items that must specifically be addressed for implementation. Below are brief explanations of each and a foundational example:
- Risk Analysis – This should result in the documented discovery of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; and, it should include balancing the cost of implementing mitigation against the cost of not implementing a mitigation. An example is the retention of a third-party audit firm to produce a documented risk log for your Risk Management program.
- Risk Management – This document should outline the steps/methodologies your organization will employ to assess risk, reduce risk, and maintain reasonable levels of risk. An example is the employment of FRAP (Facilitate Risk Assessment Process) to identify and mitigate unreasonable risks.
- Sanction Policy – This is the documented policy and procedure to prevent, detect, contain, and correct security violations with your workforce. An example is a 3-step sanction policy including verbal, written, and legal actions against your workforce.
- Information System Activity Review – This document should describe the activities associated with the proactive and reactive review of information system activity. It may generally include the review of audit logs and access reports, in addition to security incident tracking. An example is choosing to proactively audit 5% of the user activity on a monthly basis and reviewing logged incident reports weekly.
Have you updated (or completed) your Security Risk Analysis? Tune into our next HIPAA Security & Data Security installation for a deeper look at security audits…