It seems like every time you turn around, there’s another large security breach. The results can be devastating for not only the business that was hacked, but their customers as well. The risk isn’t limited to retailers – it exists anywhere customer information is used, accessed, or stored. With that in mind, core measure 9 was created and included in meaningful use. As evidence of the gravitas of this goal, there are no exclusions to this measure.
We all know how important it is to protect electronic health information, and the utmost care must be exercised to protect patients’ medical records.
Defined and Deciphered
Core measure 9 seems like a simple concept, but can be deceptively complex. The goal is to protect patients’ electronic health information that was created or is maintained by certified EHR through the implementation of appropriate technical capabilities.
Per CMS, the provider must:
“…conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process for EPs.”
It seems daunting to decipher what the requirements are, much less figure out how to actually accomplish the task. Essentially, you’re required to perform a security risk analysis to ensure that your patients’ medical records are secure, and to minimize the risk of a security breach.
Part of the challenge to this measure is the broad nature of the measure itself. Fulfilling the measure doesn’t rely on a simple security feature that can be enabled or disabled. Rather, practices must conduct—at least annually—a comprehensive security risk analysis in accordance with the requirements under HIPAA, and correct all identified security deficiencies. There is a full list of security criteria that must be met and/or corrected, however, a simple checklist will not satisfy the requirements. Each of the criteria must be sufficiently documented, so that in the event of an audit, you will pass. Also, there are no exclusions allowed for this measure, and since it’s not a percentage based measure, there is no CMS reporting window to track your progress.
Success Can Be Yours
Core measure 9 is essentially the same as core measure 15 from Stage 1. If you’ve already succeeded at this measure in Stage 1, you’re well on your way to success in Stage 2. Unfortunately, because of the broad nature of the measure, it’s also one of the more difficult challenges to master. This is not a measure that can be conquered simply with your EHR system. Still, this is a measure that is attainable. Given the complexities, and myriad of factors to consider, we will take on the required tasks in Part 2 of “On Task with Security Risk Analysis.” Stay tuned.
In the meantime, if you have questions or need help with meaningful use, contact us at firstname.lastname@example.org.
Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.