In Part I, we outlined the Stage 1 and Stage 2 requirements for Meaningful Use Security attestation, namely, conducting a risk analysis and mitigating “identified security deficiencies as part of [a] risk management process.” In this part, we examine the attestation audit process, again as it relates to Meaningful Use Security, as described in Frequently Asked Questions (FAQ) issued by the Centers for Medicare & Medicaid Services (CMS). Many of the statements reproduced below from FAQ#7711 describe the CMS audit process generally, but the specific focus here is on Meaningful Use Security attestation specifically. We use ellipsis (…) to indicate specific attestation considerations other than security, which you can check out online at: https://questions.cms.gov/faq.php?id=5005&faqId=7711. FAQ#7711 was last updated on November 19, 2013.
The Stage 1 Security Core Measure for Eligible Professionals derives from the following Meaningful Use Objective:
“Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”
The Stage 1 Security Core Measure states:
“Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
One of the critical responsibilities of management of covered entities and business associates is safeguarding protected health information (PHI) in hard copy and electronic formats by implementing “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the [HIPAA] Security Rule.” [45 CFR 164.308 (a)(1)(ii)(B)] This is a critical required implementation specification of the Security Management Process standard to the HIPAA Security Rule, which also includes required implementation specifications for conducting a risk analysis, from which safeguard policies and procedures are derived; implementing a sanction policy for workforce members that violate safeguard policies and procedures; and reviewing the effectiveness of safeguard policies and procedures on an ongoing basis.
August 11, 2014. The August 10, 2014, Sunday, New York Times had a front-page article by Anemona Hartocollis entitled: “Baby Picture at Doctor’s? Cute, Sure, but Illegal.” We commend this article to your attention because what is seemingly innocuous can be a violation of privacy under the HIPAA Administrative Simplification Rules. The federal Code of Federal Regulations (CFR) lists 18 identifiers that comprise, alone or in combination, protected health information, or PHI, that must be removed to ensure that it cannot be used to identify “individually identifiable health information”. [45 CFR 164.514(a)-(c)] These identifiers are:
August 7, 2014. Today’s Charleston, SC Post and Courier has an important article by AP Technology writer Anick Jesdanun entitled: “7 ways to create stronger passwords: News of Russian hacking ring highlights importance of protecting yourself online,” which is available online at: http://www.postandcourier.com/article/20140806/PC1601/140809586. We commend this article to your attention, and the explanations for the following seven password strengthening recommendations to deter unauthorized access to networks, systems, applications, devices, and media:
August 4, 2014. In today’s Federal Register (v.79, n.149, pp.45128-45134), the Department of Health and Human Services (HHS) published the Final Rule: “Administrative Simplification: Change to the Compliance Date for the International Classification of Diseases, 10th Revision (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets,” which is available online at: http://www.gpo.gov/fdsys/pkg/FR-2014-08-04/pdf/2014-18347.pdf. The new compliance date is October 1, 2015, which coincides with the new federal fiscal year for Medicare.