Colorado Medical Society

HIPAA privacy and security

Sunday, January 01, 2012 12:20 PM

David Ginsberg, President, PrivaPlan Associates, Inc.

What physicians must do to achieve meaningful use

Most physicians are aware that the American Recovery and Reinvestment Act (ARRA) provided substantial funding to encourage the adoption of electronic health records (EHR). Less well known is that ARRA also strengthens the Health Insurance Portability and Accountability Act (HIPAA). Additionally, HIPAA compliance is tied to earning ARRA incentives for implementing an EHR!

Physicians must demonstrate they have achieved meaningful use as a qualification to earn the Medicare incentive and as a second year requirement for the Medicaid incentive. Currently, physicians are required to achieve the Stage 1 meaningful use objectives. There are fifteen core objectives and 10 “menu set” objectives, of which physicians can select five and defer five.

The fifteenth core objective requires practices to “protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”

This speaks to HIPAA privacy and security rule compliance for the underlying infrastructure necessary to protect electronic health information. Electronic health information is synonymous with “electronic protected health information or ePHI.” The safeguarding of PHI (protected health information in any form – written, electronic or verbal) and ePHI are core principles of the HIPAA Privacy and Security Rules.

Physicians demonstrate they have achieved the fifteenth core objective by the following measure:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

While meaningful use focuses on an electronic health record, this measure encompasses both the use of the EHR as well as basic HIPAA security compliance. In other words, pursuit of meaningful use reinforces a basic HIPAA requirement (45 CFR 164.308) that any covered entity must comply with – conducting a security risk analysis and maintaining a risk management program or process that corrects security deficiencies.

What is a HIPAA security risk analysis?
A HIPAA security risk analysis is a comprehensive review and audit of HIPAA security compliance. The HIPAA security rule states that the risk analysis is a requirement for compliance and specifies that covered entities:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Unfortunately the process of a security risk analysis is neither simple nor fast. It requires careful evaluation of administrative, physical and technical safeguards.

Thus a security risk analysis goes beyond simply looking at your EHR and includes examining the technical controls behind the EHR (for example your firewalls and Internet connections). It also requires examining how you physically secure the EHR (such as the security of your server room or how workstations are protected). Administrative safeguards such as your hiring and termination practices, how you authorize access to the EHR, training and even your contracts with business associates must all be factored into the security risk analysis.

A security risk analysis cannot be accomplished by reviewing a checklist alone; Centers for Medicare and Medicaid guidance is clear that the risk analysis would include both the analysis and findings (such as a criticality or impact analysis).

Meaningful use further clarifies that physicians implement security updates as necessary and correct identified security deficiencies as part of its risk management process. This means you must also develop a plan to correct deficiencies.

While these are meaningful use clarifications, it is important to note that any physician who is a covered entity under HIPAA is non-compliant if they have not already conducted a risk analysis. The HIPAA security rule has been in effect since April 2005.

Other meaningful use applicability
The Centers for Medicare and Medicaid ( specify that physicians who qualify and attest for ARRA incentives must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period. This means that a new review is necessary for year two and subsequent periods of meaningful use.

Additionally, instructs that a security update would be required if any security deficiencies were identified during the risk analysis. A security update could include updated software for certified EHR technology to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.

HIPAA changes under ARRA
There are a number of HIPAA changes mandated by ARRA. Some have already been implemented such as:

Additional changes are expected to be finalized in a soon-to-be-released omnibus regulation.

Mr. Ginsberg is a noted authority on HIPAA compliance and electronic health records. PrivaPlan offers several resources including a do-it-yourself HIPAA Privacy and Security Toolkit. Mr. Ginsberg is also the senior advisor to the Colorado Rural Health Center and ClinicNet-two of the CORHIO regional extension center contractors assisting physicians and small hospitals in meaningful use.