Practice Points
Meaningful Use: Protect Electronic Health Information Through Security Risk Analysis Cathy Thomas Hess, BSN, RN, CWOCN In my previous column, Meaningful Use Audit Checklist, we discussed the resources necessary for a successful attestation process. Although the column offers important information to support the Meaningful Use Audit Process, it is also a reminder that the documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for 6 years after attestation. One of the target objectives included in the audit process is Protecting Electronic Health Information. The audit validation for Protecting Electronic Health Information should support that a security risk analysis of the certified electronic health record technology was performed prior to the end of the reporting period. Your supporting documentation should include a report that documents the procedures performed during the analysis and the results. Reports should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system. The information shared below is excerpted from the Centers for Medicare &
Medicaid Services’ Security Risk Analysis Tipsheet: Protecting Patients’ Health Information.1 Additional information to support this work can be found within the Guide to Privacy and Security of Health Information.2 The following Table illustrates examples of safeguards and processes you might incorporate to mitigate security risks to your practice. These are only examples and should not be used as a comprehensive guide for mitigating security risks. You should integrate reasonable and appropriate administrative, physical, and technical safeguards that are tailored to the size and complexity of your practice.
&
References 1. Security Risk Analysis Tipsheet: Protecting Patients’ Health Information. December 2013. http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/ SecurityRiskAssessment_FactSheet_Updated20131122.pdf. Last accessed September 22, 2014. 2. Guide to Privacy and Security of Health Information. Version 1.2 060112. http://www.healthit. gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf. Last accessed September 22, 2014.
Table. Security Areas to Consider Physical safeguards
Administrative safeguards
Technical safeguards
Policies and procedures Organization requirements
Examples of Potential Security Measures Your facility and other places where patient data is accessed Computer equipment Portable devices Designated security officer Workforce training and oversight Controlling information access Periodic security reassessment Controls on access to EHR Use of audit logs to monitor users and other EHR activities Measures that keep electronic patient data from improper changes Secure, authorized electronic exchanges of patient information Written policies and procedures to ensure HIPAA security compliance Data encryption Business associate agreements
Building alarm systems Locked offices Screen shielded from secondary viewers Staff training Monthly review of user activities Policy enforcement Secure passwords Backing up data Virus checks Data encryption Written protocols on authorizing users Record retention Plan for identifying and managing vendors who access, create, or store PHI Agreement review and updates
Abbreviations: EHR, electronic health record; HIPAA, Health Insurance Portability and Accountability Act; PHI, protected health information.
Cathy Thomas Hess, BSN, RN, CWOCN, is Vice President and Chief Clinical Officer, Net Health. Ms Hess presides over Professional Services, which offers products and solutions to optimize process and work flows. Address correspondence to Cathy Thomas Hess, BSN, RN, CWOCN, via e-mail: [email protected]. ADVANCES IN SKIN & WOUND CARE & VOL. 27 NO. 11
528
WWW.WOUNDCAREJOURNAL.COM
Copyright © 2014 Wolters Kluwer Health | Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited.
Meaningful Use: Protect Electronic Health Information Through Security Risk Analysis Cathy Thomas Hess, BSN, RN, CWOCN In my previous column, Meaningful Use Audit Checklist, we discussed the resources necessary for a successful attestation process. Although the column offers important information to support the Meaningful Use Audit Process, it is also a reminder that the documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for 6 years after attestation. One of the target objectives included in the audit process is Protecting Electronic Health Information. The audit validation for Protecting Electronic Health Information should support that a security risk analysis of the certified electronic health record technology was performed prior to the end of the reporting period. Your supporting documentation should include a report that documents the procedures performed during the analysis and the results. Reports should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system. The information shared below is excerpted from the Centers for Medicare &
Medicaid Services’ Security Risk Analysis Tipsheet: Protecting Patients’ Health Information.1 Additional information to support this work can be found within the Guide to Privacy and Security of Health Information.2 The following Table illustrates examples of safeguards and processes you might incorporate to mitigate security risks to your practice. These are only examples and should not be used as a comprehensive guide for mitigating security risks. You should integrate reasonable and appropriate administrative, physical, and technical safeguards that are tailored to the size and complexity of your practice.
&
References 1. Security Risk Analysis Tipsheet: Protecting Patients’ Health Information. December 2013. http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/ SecurityRiskAssessment_FactSheet_Updated20131122.pdf. Last accessed September 22, 2014. 2. Guide to Privacy and Security of Health Information. Version 1.2 060112. http://www.healthit. gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf. Last accessed September 22, 2014.
Table. Security Areas to Consider Physical safeguards
Administrative safeguards
Technical safeguards
Policies and procedures Organization requirements
Examples of Potential Security Measures Your facility and other places where patient data is accessed Computer equipment Portable devices Designated security officer Workforce training and oversight Controlling information access Periodic security reassessment Controls on access to EHR Use of audit logs to monitor users and other EHR activities Measures that keep electronic patient data from improper changes Secure, authorized electronic exchanges of patient information Written policies and procedures to ensure HIPAA security compliance Data encryption Business associate agreements
Building alarm systems Locked offices Screen shielded from secondary viewers Staff training Monthly review of user activities Policy enforcement Secure passwords Backing up data Virus checks Data encryption Written protocols on authorizing users Record retention Plan for identifying and managing vendors who access, create, or store PHI Agreement review and updates
Abbreviations: EHR, electronic health record; HIPAA, Health Insurance Portability and Accountability Act; PHI, protected health information.
Cathy Thomas Hess, BSN, RN, CWOCN, is Vice President and Chief Clinical Officer, Net Health. Ms Hess presides over Professional Services, which offers products and solutions to optimize process and work flows. Address correspondence to Cathy Thomas Hess, BSN, RN, CWOCN, via e-mail: [email protected]. ADVANCES IN SKIN & WOUND CARE & VOL. 27 NO. 11
528
WWW.WOUNDCAREJOURNAL.COM
Copyright © 2014 Wolters Kluwer Health | Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited.
