Doctor's Life Magazine, Tampa Bay Doctor's Life Tampa Bay Vol. 1 Issue 6, 2013

Is Your Practice Ready? MEANINGFUL USE STAGE 2 CORE MEASURE 9 SECURITY RISK ANALYSIS AND HIPAA SECURITY RISK ASSESSMENTS By Randy Homa Business Development Manager, Security Compliance Associates Healthcare Division A s we move into stage two of the meaningful use program and with the effective date having come and gone for compliance with the new HIPAA Omnibus Mega Rule, it is critical to take a strong look at your security posture. Core Measure 9 of Stage 2 of the Meaningful Use Incentive Program requires you to “Protect electronic health information created or maintained by the certified E H R technology through the implementation of appropriate technical capabilities.” There is no exclusion for your practice to meet this requirement. In order to meet this criteria, you must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and address the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a) (2) (iv) and 45 CFR 164.306 (d) (3) implement updates as necessary and correct identified security deficiencies as part of your risk management process. The key areas that need to be reviewed to ensure that your practice has the best possible security posture include the technical, administrative and physical safeguards your practice has in place to protect PHI. A thorough and comprehensive assessment of risk following NIST guidance will allow you to gain a true understanding of your security posture. An accurate picture of your security posture allows for you to make informed decisions regarding your risk management plan and process. Conducting and reviewing these assessments annually as part of your Risk Management Plan are not only important for meeting the regulatory requirements for Meaningful Use and HIPAA Compliance, they will assure that you are putting your practice in the most secure environment possible. As you prepare to meet the requirements listed above, please keep the following in mind. The more thorough you are will put your practice in a better posture. This will result in your practice being better positioned to withstand malicious activity and regulatory scrutiny. Having a risk management plan in place, completing annual risk assessments and following through on mitigation plans will have several positive impacts on your practice. It will decrease the likelihood of downtime and its impact on patient care. Moreover, it will reduce the risk of a Data Breach, along with the associated penalties and negative publicity. A data breach may have lasting impact on your reputation, as well as the overall confidence a prospective patient may have in your practice. A solid risk assessment will ensure you are compliant with HIPAA/HITECH and the CMS Incentive Program mandates. Here are some things to keep in mind as you review your physical, administrative and technical safeguards as part of your risk assessment. From a physical standpoint, be sure to check on the following key aspects of your environment: »» external door locks and alarms »» emergency water and power shut off »» smoke alarms and fire extinguishers »» internal locks or monitoring for secured areas »» server or wiring rooms 18 Doctor’s Life Tampa Bay Issue 6, 2013

Doctor's Life Magazine, Tampa Bay Doctor's Life Tampa Bay Vol. 1 Issue 6, 2013 | Page 18