Stage 2 of the EHR Meaningful Use Incentive Program opened for registration in early October. It was a busy month for healthcare headlines (the HIPAA Omninbus Rule, the federal government shutdown, and the launch of healthcare.gov). So much so, it may have been easy to overlook the increased IT security risk analysis requirements in Stage 2. In fact the word "security" is mentioned 61 times in the 676-page Stage 2 rule. While the core requirement to conduct a security risk analysis contained in Stage 1 is repeated almost verbatim in Stage 2, there are more nuances, additional requirements, and as usual, plenty of room for interpretation. In this webinar, attendees will learn:
Exactly what is required of a eligible hospital to meet the security risk analysis requirement of Stage 2 Meaningful Use
What is meant by "addressing the encryption/security of data stored in Certified EHR Technology (CEHRT)?"
What is the formal definition of CEHRT?
What is the best way to document remediation as part of a hospital's risk management process?
Are there other security requirements (beyond a risk analysis) stated or implied in the Stage 2 Meaningful Use Rule?
Hospital EHR adoption rates are dramatically increasing, fueled in large part by the CMS Meaningful Use EHR Incentive Program. To attest to "meaningful use," hospitals must be using a certified EHR system. Then they must meet a number of "core requirements" to show that they have implemented and are actively using the EHR system. From 2011-to-present over two-thirds of hospitals have achieved Stage 1 Meaningful Use. It is safe to assume that the earliest Stage 1 adopters will be working to attest to Stage 2 in 2014.
Both Stage 1 and Stage 2 require hospitals to "conduct or review a security risk analysis" and "implement security updates as necessary and correct identified security deficiencies as part of its risk management process." Although the core measure is very similar in Stage 1 and Stage 2, there are persistent concerns about a broader Stage 2 scope. For example, Stage 2 raises the bar for health information exchange between providers and giving patients secure online access to their health information. It specifically calls out and addressable requirement from the HIPAA Security Rule regarding the encryption of "data at rest." This webinar will bring clarity and help answer the most commonly asked questions, such as:
Does ouR security risk analysis only need to look at the EHR application?
What is the difference between the security risk analysis in Stage 1 and the requirements in Stage 2?
We did a security risk analysis for Stage 1. Do we have to do another one for Stage 2?
How do I prove that our organization has addressed the issue of the encryption/security of data stored in CEHRT?
Premium Members Only
OnDemand access to this webinar is restricted to Premium Members.
Berger is the President of Redspin (an Auxilio company), an IT security assessment company in Santa Barbara, CA. Under Berger's leadership, Redspin has become the leader in healthcare IT security, providing HIPAA risk analysis services to 135 hospitals, nearly 1,000 clinics, and many business associates. He is also the author of Redspin's annual "PHI Breach Report," a widely-cited resource on healthcare data breaches and their causes. In 1996, Berger received a commendation from the Oklahoma City Department of Health for his participation in a conference on "The Role of Technology in Disaster Preparedness." He is an honors graduate of Colby College in Waterville, ME.