Healthcare Portability

With the requirement that Medicare and Medicaid EHR Incentive Programs eligible professionals conduct a security risk analysis in both Stage 1 and Stage 2 Meaningful Use in mind, the Centers for Medicare and Medicaid Services (CMS) recently released a Security Risk Analysis Tipsheet.

Incentive program requirements align with federal privacy and security standards and CMS released these tips to aid HIPAA covered entities that are unsure of their responsibilities. Under HIPAA, 45 CFR 164.308(a)(1), these organizations must conduct risk analyses as well as take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. CMS provided these considerations as organizations perform risk analyses:

- Review the existing security infrastructure in your medical practice against legal requirements and industry best practices

- Identify potential threats to patient privacy and security and assesses the impact on the confidentiality, integrity and availability of your e-PHI

- Prioritize risks based on the severity of their impact on your patients and practice

From there, CMS advises that organizations create a firm action plan, which may include areas of weakness such as updating system software, changing the workflow processes or storage methods, reviewing and modifying policies and procedures, scheduling additional staff training, or taking other necessary corrective action to eliminate identified security deficiency.

When looking at physical safeguards, organizations need to look at their physical facilities and other places where patient data is accessed that hold computer equipment and other portable devices. Preventative methods include building alarm systems, locked offices and screens shielded from secondary viewers. CMS believes that organizations can shore up administrative security by having a designated security officer, solid staff security training, controlling information access an