Meaningful Use Security Attestation Compatibility with HIPAA Security Rule Compliance: Part II-CMS EHR Incentive Audit

In Part I, we outlined the Stage 1 and Stage 2 requirements for Meaningful Use Security attestation, namely, conducting a risk analysis and mitigating “identified security deficiencies as part of [a] risk management process.”  In this part, we examine the attestation audit process, again as it relates to Meaningful Use Security, as described in Frequently Asked Questions (FAQ) issued by the Centers for Medicare & Medicaid Services (CMS).  Many of the statements reproduced below from FAQ#7711 describe the CMS audit process generally, but the specific focus here is on Meaningful Use Security attestation specifically.  We use ellipsis (…) to indicate specific attestation considerations other than security, which you can check out online at:  FAQ#7711 was last updated on November 19, 2013.


Meaningful Use Security Attestation Compatibility with HIPAA Security Rule Compliance: Part I-Risk Analysis

The Stage 1 Security Core Measure for Eligible Professionals derives from the following Meaningful Use Objective:


“Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”


The Stage 1 Security Core Measure states:


“Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”


More Attention to Risk Management Needed by Law Firms and Governance Boards

One of the critical responsibilities of management of covered entities and business associates is safeguarding protected health information (PHI) in hard copy and electronic formats by implementing  “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the [HIPAA] Security Rule.” [45 CFR 164.308 (a)(1)(ii)(B)]  This is a critical required implementation specification of the Security Management Process standard to the HIPAA Security Rule, which also includes required implementation specifications for conducting a risk analysis, from which safeguard policies and procedures are derived; implementing a sanction policy for workforce members that violate safeguard policies and procedures; and reviewing the effectiveness of safeguard policies and procedures on an ongoing basis.


NY Times Article Highlights Need to Focus on and Safeguard HIPAA Protected Health Information (PHI) Identifiers

August 11, 2014.  The August 10, 2014, Sunday, New York Times had a front-page article by Anemona Hartocollis entitled:  “Baby Picture at Doctor’s?  Cute, Sure, but Illegal.”  We commend this article to your attention because what is seemingly innocuous can be a violation of privacy under the HIPAA Administrative Simplification Rules.  The federal Code of Federal Regulations (CFR) lists 18 identifiers that comprise, alone or in combination, protected health information, or PHI, that must be removed to ensure that it cannot be used to identify “individually identifiable health information”.  [45 CFR 164.514(a)-(c)]  These identifiers are:


Stronger Passwords Are Not a Substitute for Encryption for Securing Electronic Protected Health Information

August 7, 2014.  Today’s Charleston, SC Post and Courier has an important article by AP Technology writer Anick Jesdanun entitled:  “7 ways to create stronger passwords:  News of Russian hacking ring highlights importance of protecting yourself online,” which is available online at:  We commend this article to your attention, and the explanations for the following seven password strengthening recommendations to deter unauthorized access to networks, systems, applications, devices, and media:

HHS Publishes Final Rule Setting ICD-10 Adoption Date of October 1, 2015

August 4, 2014.  In today’s Federal Register (v.79, n.149, pp.45128-45134), the Department of Health and Human Services (HHS) published the Final Rule:  “Administrative Simplification:  Change to the Compliance Date for the International Classification of Diseases, 10th Revision (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets,” which is available online at:  The new compliance date is October 1, 2015, which coincides with the new federal fiscal year for Medicare.




  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)