Meaningful Use Security Risk Analysis Passing Your Audit.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Meaningful Use for Eligible Professionals (EPs) Q & A VITL Staff (updated ) V6.0.
Claire Turcotte, Esq. Partner Bricker & Eckler LLP 9277 Centre Pointe Drive, Suite 100 West Chester, Ohio (513)
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
1 1 Risk Management: How to Comply with Everything July 11, 2013.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance, guidance and.
CMS EHR Incentives Attestation-Audits-Appeals Focus on Hospitals Jim Tate November 12,
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Supporting Meaningful Use Stage 2 Transition of Care Requirements
Security Controls – What Works
Electronic Health Records – Meaningful Use, Certification, and the Regulatory Rulemaking Process June 18, 2015 Lori Mihalich-Levin,JD
Meaningful Use, MU Audits and Stage 2 Measures – “Is it Worth the Money?” Chris Apgar, CISSP OrHIMA Fall Instutute 2014.
Montana Medicaid Electronic Health Records Incentive Program for Eligible Hospitals This presentation will focus on information related to your registration.
August 12, Meaningful Use *** UDOH Informatics Brown Bag Robert T Rolfs, MD, MPH.
Audits for the Medicare and Medicaid EHR Incentive Programs Vidya Sellappan HIT Initiatives Group, CMS 1.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Continuing Review VA Requirements Kevin L. Nellis, M.S., M.T. (A.S.C.P.) Program Analyst Program for Research Integrity Development and Education (PRIDE)
West Texas Health Information Technology Regional Extension Center - Making Electronic Health Records a Reality - Meaningful Use: Getting and Keeping YOUR.
Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.
IT Security Requirements Under the HITECH Act RA for MU and Continuous Monitoring Lisa Broome, RPMS ISSO.
The Auditing Process: Lessons Learned Florida’s Medicaid EHR Incentive Program July 23, 2015.
Medicaid EHR Incentive Program For Eligible Professionals Overview of the Proposed 2015 Modification Rule Kim Davis-Allen Outreach Coordinator
© 2015 CHAN Healthcare Place Image Here Preparing for Meaningful Use Audits Erik Dahl, CISA, CISSP IT Audit Director.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Meaningful Use Security Risk Assessment (SRA): Resources for Eligible Professionals (EPs) Kim Bell, MHA, FACHE, PCMH-CCE Executive Director Georgia Health.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Utilizing the CMS Security Risk Assessment Tool Liz Hansen, PCMH CEC, ICD-10 PMC Special Consultant, GA-HITEC Member Manager, GaHIN
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.
Eliza de Guzman HTM 520 Health Information Exchange.
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
1 Meaningful Use Audits Sarah McIntee, Esq. David Main, Esq. Health TechNet Luncheon May 16, 2014.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
HIT Standards Committee Privacy and Security Workgroup Standards and Certification Requirements for Certified EHR Modules Dixie Baker, Chair Walter Suarez,
IT Security Requirements Under the HITECH Act RA for MU and Continuous Monitoring Lisa Broome, RPMS ISSO.
HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel.
Medicaid EHR Incentive Program Updates eHealth Services and Support September 24, 2014 Today’s presenter: Nicole Bennett, Provider Enrollment and Verification.
Final Rule Regarding EHR Certification Flexibility for 2014 Today’s presenters: Al Wroblewski, Client Services Relationship Manager Thomas Bennett, Client.
360Exchange (360X) Project 12/06/12. Reminders / announcements 360X Update CEHRT 2014 / MU2 Transition of Care Requirements 1 Agenda.
HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.
MAPIR 5.7 Walk-Through Vermont Medicaid Electronic Health Record (EHR) Incentive Program May 25, 2016.
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
AUDITS….. MEANINGFUL USE AND HIPAA COMPLIANCE (OCR) MARK NORRIS MEDICAL RECORDS SERVICES
Community Health Center Security Risk Management
EHR Incentive Program 2017 Program Requirements
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
In-depth look at the security risk analysis
Florida’s Medicaid EHR Incentive Program
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
EHR Incentive Program 2017 Program Requirements
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
EHRs and HIPAA: Steps to Maintain Privacy and Security of Patient Data
EHR Incentive Program 2018 Program Requirements
2017 Modified Stage 2 Meaningful Use Objectives Overview Massachusetts Medicaid EHR Incentive Program September 19 & 20, 2017 September 19,
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
Death, Taxes and Meaningful Use Audits
HIPAA Security Risk Assessment (SRA)
Presentation transcript:

Meaningful Use Security Risk Analysis Passing Your Audit

Introduction Meaningful Use Requirement – Protect Electronic Health Information Security Risk Analysis Meaningful Use Audits Questions Agenda

Introduction Adam Kehler, CISSP, CEH Privacy and Security Specialist PA REACH East & West

Meaningful Use 1.In Stage 1, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 2.In Stage 2, eligible professionals need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest. Note: a security risk analysis needs to be reviewed and updated for each reporting period for Stage 1 and Stage 2.

HIPAA Security Rule “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR (a)(1)(ii))”

Myths & Facts 1.ALL providers must conduct a risk analysis; no exceptions. 2.Simply installing a certified EHR does not mean you’ve met the security requirements of the risk analysis 3.Your EHR vendor is not responsible for your compliance with the HIPAA Security Rule or risk analysis 4.You do not have to outsource your analysis (though you may wish to) 5.You must update your risk analysis periodically or as changes occur.

What is a Security Risk Analysis?

There is no single method or “best practice” that guarantees compliance But most risk analysis and risk management processes have steps in common. OCR and NIST have provided guidance and recommendations.

Common Steps 1.Define the scope 2.Data Collection 3.Identify and document potential threats to ePHI 4.Assess Current Security Measures 5.Determine the Likelihood of Threat Occurrence 6.Determine the Potential Impact of Threat Occurrence 7.Determine the Level of Risk 8.Finalize Documentation 9.Continuous Risk Analysis

Example Risk = Threat x Vulnerability x Impact

Why Not Just a Checklist 1.Every organization is different. 2.What is reasonable for one situation or organization is not reasonable for another. 3.Technology and threats are always changing. So instead, it is simply required to identify your risks and do what is reasonable and appropriate to address them.

Meaningful Use Audits

Meaningful Use 1.In Stage 1, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 2.In Stage 2, eligible professionals need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest. Note: a security risk analysis needs to be reviewed and updated for each reporting period for Stage 1 and Stage 2.

Medicare Audits Conducted by Figliozzi and Co. for Medicare Individual states arrange for Medicaid audits Can be a pre- or post-payment audit A right to appeal an audit determination is available Failure of an audit requires that incentive monies be returned Approximately 5% of MU participants will be audited

Validation Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period. Suggested Documentation Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.). MU SRA Audit Guidance - Medicare

Medicaid Audits – West Virginia Receive a letter from the WV Dept. of HHS Will start as a desk audit; could follow-up with onsite audit if necessary Letter contains a questionnaire to be filled out Return questionnaire and supporting documentation via enclosed CD or flash drive (encrypt!)

Medicaid Audits

Medicaid Audits – Information Request

Ensure that the Security Risk Analysis is a bona fide Security Risk Analysis of the Certified EHR Technology and not a narrative description of security controls in use at the organization nor a security gap analysis. “The documentation provided for this measure is … not an actual security risk analysis specific to the CEHRT system. Acceptable documentation would be proof that a security risk analysis was performed prior to the end of the reporting period (i.e. a report that outlines procedures performed and the results of an analysis).” Audit Issues

“The documentation provided is not a valid security risk analysis. Acceptable documentation would be proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis. If material deficiencies were identified, mitigation of these deficiencies must be included).” Audit Issues

Ensure that the SRA report documents the correct date of the SRA and does not include extraneous dates. “The supplied security risk assessment was performed as of XX/XX/20XX. However, per CMS Regulations, a new review would have to occur for each subsequent reporting period. Therefore, we will need the security risk assessment that was completed for the 20XX attestation (i.e. report which documents the procedures performed during the analysis, the noted threats/vulnerabilities, and the results of the analysis).” Audit Issues

Ensure that remediation plans are complete. “The …Remediation [Plan] of the risk analysis supplied was not completed.” “A security risk management gap analysis was supplied. However, the results of the analysis, risks identified, and remediation plan to address the risks are also needed.” Audit Issues

Ensure what you are doing constitutes a “Security Risk Analysis” and is not just a checklist or description of security controls Document the steps you followed Document a risk mitigation strategy Update your security risk analysis for each reporting period (i.e. annually) If you are not comfortable with doing it yourself, seek outside help Recommendations

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.