News Feature | November 6, 2014

New Guidelines From CMS On Security Risk Analysis

By Megan Williams, contributing writer

New Guidelines From CMS On Security Risk Analysis

The Centers for Medicare and Medicaid Services (CMS) guidelines for security risk analysis have been amended for Meaningful Use (MU) Stage 2.

According to CMS, entering MU Stage 2, you and your clients will need to be aware of some changes to the security risk analysis requirements. In Stage 2, eligible professionals and hospitals will be required to not only meet the requirements of Stage 1, but will also have to address encryption and security of data around certified EHR Technology (CEHRT).

The new objectives are a complement (not a replacement for, or expansion of) existing requirements of the HIPAA Security Rule. Regarding timing of completion, the CMS website states, “These steps may be completed outside of the EHR reporting period timeframe but must take place no earlier than the start of the reporting year and end of the reporting year. For example, an EP (eligible professional) who is reporting Meaningful Use for a 90 day EHR reporting period may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed no earlier than January 1st and no later than December 31st of the EHR reporting year."

Tip Sheet

CMS has also provided a Security Risk Analysis Tipsheet that breaks down some of the steps in meeting the risk analysis requirements.

  • Performing A Security Risk Analysis. This section acknowledges that there is no single best method or best practice, but advises that providers and EPs review their current security infrastructures and industry best practices; identify potential threats and assess the impact on e-PHI (protected health information); and prioritize risk based on severity.
  • Creating An Action Plan. Action plans will involve a facility-specific review of processes that may lead to vulnerabilities in patient data. Action plans may also involve updates to software, workflow processes, and storage methods. Additional training may be needed.
  • Protecting PHI. Once the risk analysis is complete, the risk to e-PHI should be lowered. This could involve solutions like a power surge protection strip (to prevent damage to equipment), keeping servers in a locked room, and improving backup habits.

The new Security Rule, overall, pushes for “reasonable and appropriate administrative, physical, and technical safeguards” to protect patient information. It also allows for customization of policy, procedure, and technology solutions in order to reach that goal.

Execution

For more information on actually implementing a security risk analysis, please refer to HealthIT.gov’s page, “Health Information Privacy And Security: A 10 Step Plan.” This section of the site gives providers insight into working with vendors on meeting HIPAA security requirements.