Harned laid out the following program to help your practice engage in a comprehensive risk assessment to ensure appropriate protections of electronic health information—a good practice whether or not you are participating in the CMS EHR Incentive Program.
To meet the privacy and security objective for Meaningful Use, your practice should conduct a security audit or risk analysis at least once prior to the end of the each reporting period. Your risk assessment should include these basic steps:
- Identify the scope of the analysis.
- Identify the location of all electronic health information including where it is stored, how it is retrieved and by whom, and the workflow for maintenance and transmission of this information.
- Identify and document potential technical and nontechnical threats and vulnerabilities to the protection of the electronic health information, including natural threats, human threats, and environmental threats.
- Assess your current implemented security measures to minimize or eliminate risks to electronic health information.
- Ascertain and document the probability that an identified risk will materialize.
- Determine and document the potential impacts of each identified risk.
- Determine the overall level of risk to the electronic health information and develop a “risk matrix,” categorizing all of the risks based upon the likelihood of occurrence and potential impact.
- Identify and document the required security measures and upgrades and the actions that must be taken to mitigate identified risks.
Simply implementing a certified EHR system will not satisfy your responsibilities for protecting your patients’ health information. As you are conducting your risk analysis, you must consider the security of each system that stores or processes electronic health information (e.g., backup systems, hard drives, and removable media). In conducting the risk analysis, your practice should look at the whole system—the people and the electronic systems responsible for collecting, storing, analyzing, and transferring healthcare information.
For more information on performing a privacy and security analysis in your practice and achieving meaningful use of your EHR system, visit www.rheumatology.org/HIT or contact ACR Registries and Health Informatics staff at [email protected].
Reference
- Department of Health and Human Services, Basics of Security Risk Analysis and Risk Management. HIPAA Security Series. 2005;2(6):1-20.
2011 Annual Meeting
Basic Science at ACR 2011: An Offer You Can’t Refuse
By Anne-Marie Malfait, MD, PhD
Whether you are a clinician-rheumatologist with a busy practice, a basic scientist, or a clinical researcher in academia or the private sector, you can’t afford to miss the basic science sessions at this year’s ACR/ARHP Annual Scientific Meeting in Chicago this November 4–9.
Related Articles
The New Year Brings New Opportunities in HIT
January kicked off a new era for health information technology (HIT). A new year brings new opportunities, with the Centers for Medicare and Medicaid Services (CMS) electronic health record (EHR) incentive program topping the list. But what is meaningful EHR use, and what does it mean for you? What are the steps to get started?
Measuring Up for Meaningful Use
The Centers for Medicare and Medicaid Services’ (CMS’) Electronic Health Record (EHR) Incentive Program—Meaningful Use—requires that eligible providers participating in the incentive program successfully demonstrate meaningful use of the EHR system by reporting on a set of core and menu functional objectives to qualify for incentive payments of up to $44,000.
Electronic Health Record Contracts Done Right
Consider both your practice’s needs and the long-term viability of the technology when selecting an EHR system.
Planning is Key to Meaningful Use
Practices face many challenges when adopting EHRs