Where The Term "Meaningful Use" Comes From
According to a Preamble issued by the U.S. Department of Health and Human Services (HHS), the term “Meaningful Use” was born out of a report sponsored by the National Quality Forum, which articulated a set of long-term aspirations for the national improvement of health care delivery, to be achieved through widespread adoption of Electronic Health Records: “In 2008, the National Priorities Partnership, convened by the National Quality Forum (NQF), released a report entitled ‘National Priorities and Goals’ which identified a set of national priorities to help focus performance improvement efforts. Among these priorities were patient engagement, reduction of racial disparities, improved safety, increased efficiency, coordination of care, and improved population health. These priorities were used to create the framework for “meaningful use” of an electronic health record.” Citation: Meaningful Use: A Definition.
"Meaningful Use" Defined
The term Meaningful Use refers to clear set of criteria that determines whether or not a physician (or other clinician with prescription privileges) is using certified EHR technology in a way that positively impacts the efficiency and quality of patient care. The Centers for Medicare & Medicaid Services (CMS) are responsible for creating and defining those criteria. Because Meaningful Use is such a complex concept, CMS has broken it down into three distinct phases, commonly known as Stages 1-3. As of August 31, 2011, CMS has only issued a final rule concerning Stage 1 criteria; the final rule also includes a description of the 2011 EHR Incentive Programs, meant to foster early achievement of meaningful use. The final rule can be found in the Federal Register. (You may be curious about the proposed criteria for Stages 2-3, which can be found here, beginning on page five.)
An EHR is “certified” if its features and functionalities have been reviewed (by HHS or some other entity directly authorized to “certify” EHR systems, such as CCHIT), and deemed to provide reports on all core measures and menu sets specified in the regulation. For a list of all certified EHR vendors and products, click here.
Meaningful Use Attestation: Item #15 & HIPAA Security Concerns
In the rush to attest to meaningful use, many providers feel the pressure to answer “yes” to Core Measure #15 when they have yet to conduct a security risk analysis as required by HIPAA/ARRA. PaperFree Florida strongly cautions against doing this. In the event of a federal audit, you may be subject to penalties if you say that you performed a security risk analysis in order to get a Medicare or Medicaid EHR Incentive payment and have not actually done so.
It is critical for providers to understand that a risk analysis is an active undertaking, and is required to bring your practice into compliance with HIPAA regulations (as modified by ARRA). The purpose of security risk analyses is to ensure that physicians and practice staff take appropriate steps to safeguard protected health information (e-PHI). E-PHI includes all forms of electronic media (e.g. hard drives, CDs, DVDs, smart cards, storage devices like flash drives, data stored in electronic workstations, etc.).
The risk analysis must be comprehensive, reviewing the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all e-PHI that an organization creates, receives, maintains or transmits. PaperFree Florida recommends that you compile all required elements in a binder and keep it in a secure location, and that you repeat (or have a third party perform) a risk analysis once per calendar year. For more general information, consult the guidance issued by the Office of Civil Rights, which has the responsibility of enforcing HIPAA rules.
Scope of the Risk Analysis
- The scope of a risk analysis includes assessment of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all electronic protected health information (e-PHI) that an organization creates, receives, maintains or transmits. (Citation: 45 C.F.R. § 164.306(a))
- E-PHI = all forms of electronic media (e.g. hard drives, CDs, DVDs, smart cards, storage devices like flash drives, data stored in electronic workstations, etc.)
Elements of a Security Risk Analysis:
- Data Collection: Identify and document where the e-PHI is stored, received, maintained or transmitted;
- You may use whatever method you wish to accomplish this, but the whereabouts of all e-PHI must be documented (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)).
- Identify Potential Threats to & Vulnerabilities of e-PHI:
- Identify and document all reasonably anticipated threats to e-PHI; AND
- Threats may be natural, human or environmental in nature
- Examples include floods, hurricanes, malicious software uploads, unauthorized access to e-PHI, power failures, pollution, etc.
- Identify and document all vulnerabilities that, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI; this requires you to associate threats with each potential vulnerability
- Vulnerabilities may be technical or non-technical in nature
- Examples of non-technical vulnerabilities may include: ineffective or non-existent policies, procedures, standards or guidelines.
- Examples of Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
- Assess Current Security Measures: Assess and document…
- All security measures used to safeguard e-PHI,
- Whether security measures required by the Security Rule are already in place, AND
- If current security measures are configured and used properly.
- Determine if Identified Threats are Likely to Occur: Evaluate and document the probability that each threat and vulnerability combination will occur.
- Determine Potential Impacts of Threat Occurrences: Evaluate and document all potential impacts associated with the occurrence of each threat and its corresponding vulnerability on the confidentiality, availability, and integrity of e-PHI
- You may use a quantitative or qualitative method (or a combination of both) to measure the magnitude of the impact to confidentiality, availability, and integrity in your organization
- Determine Level of Risk for Each Identified Threat/Vulnerability:
- Assign and document risk levels for all threat and vulnerability combinations identified during the risk analysis, AND
- Document a list of proposed corrective actions that could mitigate each risk level
- Risk level = Analysis of (likelihood of a given threat triggering/exploiting a certain vulnerability + magnitude of impact on your organization)
- Finalize Official Documentation of all Elements:
- Elements one through six must be completed and documented as specified above; PaperFree Florida recommends that you compile all required elements in a binder and keep it in a secure location.
- The documentation can be completed in any format you choose (no specific format is specified by the HIPAA Security Rule).
- If you fail to document your risk analysis, it is impossible for you to establish a baseline and maintain a risk management process.
- Periodic Review and Update of Risk Analysis: HIPAA requires that the process of risk analysis (and therefore risk management) should be ongoing, since the Rule requires organizations to document and update security measures as needed.
- The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process.
- The frequency of performance will vary among covered entities, depending on the size of the organization.
- PaperFree Florida recommends that our members repeat (or have and third party perform) a risk analysis once per calendar year.