Risk Assessments: A New Priority?

An Analysis is Required to Earn EHR Payments
Risk Assessments: A New Priority?
Although the original HIPAA security rule mandated that healthcare organizations conduct a risk assessment, many have ignored that requirement, security experts say.

But now, hospitals and physicians have an extra source of motivation to conduct an analysis. If they want to receive financial incentives from Medicare and Medicaid for using electronic health records, they must complete a risk assessment and regularly update it.

A new rule that spells out how organizations must "meaningfully use" electronic health records to earn federal incentive payments includes the risk analysis requirement. The rule stops short of requiring the use of any specific security technologies, including encryption.

The risk analysis requirement is one of the "core objectives" for meaningful use that physicians and hospitals alike must achieve to qualify for Stage 1 of the incentive program.

A Good Reminder

Despite the original HIPAA mandate, too many hospitals and physician groups have failed to conduct a comprehensive risk analysis and update it regularly, says Dan Rode, vice president of policy and government relations at the American Health Information Management Association. "Everyone is well served by raising this issue again," he stresses.

"The original HIPAA language was so vague, that a lot of security managers were opting not to do a risk assessment," adds Mac McMillan, chair of the Healthcare Information and Management Systems Society's privacy and security steering committee and CEO of CynergisTek Inc.

Powerful Incentive

But the HITECH Act's financial incentives for using EHRs, which could total $27 billion, will prove to be a powerful motivator for conducting risk assessments, McMillan says.

"This reminds those who are eligible for the incentives that there is much more to security than just buying a certified EHR," adds Kate Borten, president of The Marblehead Group. "This reinforces the idea that there's much more to a security program than the technology or how you implement it."

The meaningful use rule, and a related software standards rule, will be officially posted on the Federal Register July 28. For now, they're available in near-final form at the Federal Register public inspection desk.

See also: An in-depth report on the other provisions of the EHR incentive rules.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.