Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
How to Leverage HIPAA for Meaningful UseThe overlap between HIPAA and Meaningful Use requirements
copy 2015 SecurityMetrics
How to Leverage HIPAA for Meaningful Use | 2
Share this ebook
About this ebookWho should read this ebookbull OfficerspractitionersandmanagersinchargeofHIPAAcomplianceanddatasecurityinsmallmediumandlargecoveredentities
bull AnyoneinvolvedinMeaningfulUseIncentiveProgramattestation
What does this ebook includebull AbriefoverviewofHIPAAandMeaningful
Use bull OverlapofMeaningfulUseandHIPAArequirements
bull InstructionsonhowtoaccomplishdatasecurityrequirementsforHIPAAandMeaningful Use
Who is SecurityMetricsSecurityMetrics has helped over one million organizations comply with HIPAA PCI DSS and other mandates Our solutions com-bine innovative technology that stream-lines validation with the personal support you need to fully understand compliance requirements You focus on the business stuffmdashwersquove got compliance covered
Learn more about us atwwwsecuritymetricscomhipaa
How to Leverage HIPAA for Meaningful Use | 3
Share this ebook
IntroductionNomatterthesizeofyourhealthcareorganizationyou have many requirements mandates lawspoliciesetctocomplywithandworryaboutThisisallontopofprovidinghealthcareservices topatientsthereasonyougotintohealthcareinthefirstplaceAsmostofyouknowcoveredentitiesthat handle protected health information (PHI)arerequiredtocomplywiththeHealthInsurancePortabilityandAccountabilityAct(HIPAA)Manyhealthcareprofessionalslikeyouandtheentitiesyou work for also participate in Medicare andMedicaid EHR Incentive Programs BothHIPAAand Meaningful Usersquos complex and time con-suming requirements fall under lsquotheother stuffrsquoonyourtodolist
How this ebook helpsThis ebook covers the overlap between HIPAAand Meaningful Use including two importantsecurity protocols to help protect patient dataThegoalofthisebookistohelpyousavetimemoney andother resourcesby leveraging yourHIPAAcompliancerequirements forMeaningfulUseattestation
How to Leverage HIPAA for Meaningful Use | 4
Share this ebook
What is Meaningful UseThe Centers for Medicare and Medicaid Ser-vices (CMS) created incentive programs com-monly knownasMeaningfulUse toencouragepracticesandhospitalstohandlealltheirrecordselectronically
Eligibleprofessionals(EP)eligiblehospitals(EH)andcriticalaccesshospitals(CAH)canqualifyforMeaningfulUseprogramsYouareonlyallowedtoparticipateinoneincentiveprogramsoifyouqualifyforboththeMedicareandMedicaidEHRIncentiveProgramsyoumustchoosewhichpro-gramtoparticipatein
MeaningfulUseprogramsaredividedintothreestages Each new stage increases requirementsand measures to further practice and hospital
implementationof theirCertifiedEHR Technol-ogy (CEHRT) The CEHRT is the actual systemusedtoelectronicallyhandlePHI
Meaningful Use Basics
Meaningful UseAlphabet SoupCMS = Centers for Medicare and Medicaid Services
EHR = Electronic Health Records
CEHRT = Certified EHR Technology
CQMs = Clinical Quality Measures
EP = Eligible Professional
EH = Eligible Hospitals
CAH = Critical Access Hospitals
NQS Domains = National Quality Strategy Domains
How to Leverage HIPAA for Meaningful Use | 5
Share this ebook
Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation
IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas
Medicaid PaymentsYear1 $21250Year2-6 $8500
Maxpayout $63750
Medicare Payments2011 $437202012 $434802013 $382202014 $23520
Basedontheyearyoustartprogram
Payments for Eligible ProfessionalsTable 1
Table 2
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 2
Share this ebook
About this ebookWho should read this ebookbull OfficerspractitionersandmanagersinchargeofHIPAAcomplianceanddatasecurityinsmallmediumandlargecoveredentities
bull AnyoneinvolvedinMeaningfulUseIncentiveProgramattestation
What does this ebook includebull AbriefoverviewofHIPAAandMeaningful
Use bull OverlapofMeaningfulUseandHIPAArequirements
bull InstructionsonhowtoaccomplishdatasecurityrequirementsforHIPAAandMeaningful Use
Who is SecurityMetricsSecurityMetrics has helped over one million organizations comply with HIPAA PCI DSS and other mandates Our solutions com-bine innovative technology that stream-lines validation with the personal support you need to fully understand compliance requirements You focus on the business stuffmdashwersquove got compliance covered
Learn more about us atwwwsecuritymetricscomhipaa
How to Leverage HIPAA for Meaningful Use | 3
Share this ebook
IntroductionNomatterthesizeofyourhealthcareorganizationyou have many requirements mandates lawspoliciesetctocomplywithandworryaboutThisisallontopofprovidinghealthcareservices topatientsthereasonyougotintohealthcareinthefirstplaceAsmostofyouknowcoveredentitiesthat handle protected health information (PHI)arerequiredtocomplywiththeHealthInsurancePortabilityandAccountabilityAct(HIPAA)Manyhealthcareprofessionalslikeyouandtheentitiesyou work for also participate in Medicare andMedicaid EHR Incentive Programs BothHIPAAand Meaningful Usersquos complex and time con-suming requirements fall under lsquotheother stuffrsquoonyourtodolist
How this ebook helpsThis ebook covers the overlap between HIPAAand Meaningful Use including two importantsecurity protocols to help protect patient dataThegoalofthisebookistohelpyousavetimemoney andother resourcesby leveraging yourHIPAAcompliancerequirements forMeaningfulUseattestation
How to Leverage HIPAA for Meaningful Use | 4
Share this ebook
What is Meaningful UseThe Centers for Medicare and Medicaid Ser-vices (CMS) created incentive programs com-monly knownasMeaningfulUse toencouragepracticesandhospitalstohandlealltheirrecordselectronically
Eligibleprofessionals(EP)eligiblehospitals(EH)andcriticalaccesshospitals(CAH)canqualifyforMeaningfulUseprogramsYouareonlyallowedtoparticipateinoneincentiveprogramsoifyouqualifyforboththeMedicareandMedicaidEHRIncentiveProgramsyoumustchoosewhichpro-gramtoparticipatein
MeaningfulUseprogramsaredividedintothreestages Each new stage increases requirementsand measures to further practice and hospital
implementationof theirCertifiedEHR Technol-ogy (CEHRT) The CEHRT is the actual systemusedtoelectronicallyhandlePHI
Meaningful Use Basics
Meaningful UseAlphabet SoupCMS = Centers for Medicare and Medicaid Services
EHR = Electronic Health Records
CEHRT = Certified EHR Technology
CQMs = Clinical Quality Measures
EP = Eligible Professional
EH = Eligible Hospitals
CAH = Critical Access Hospitals
NQS Domains = National Quality Strategy Domains
How to Leverage HIPAA for Meaningful Use | 5
Share this ebook
Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation
IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas
Medicaid PaymentsYear1 $21250Year2-6 $8500
Maxpayout $63750
Medicare Payments2011 $437202012 $434802013 $382202014 $23520
Basedontheyearyoustartprogram
Payments for Eligible ProfessionalsTable 1
Table 2
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 3
Share this ebook
IntroductionNomatterthesizeofyourhealthcareorganizationyou have many requirements mandates lawspoliciesetctocomplywithandworryaboutThisisallontopofprovidinghealthcareservices topatientsthereasonyougotintohealthcareinthefirstplaceAsmostofyouknowcoveredentitiesthat handle protected health information (PHI)arerequiredtocomplywiththeHealthInsurancePortabilityandAccountabilityAct(HIPAA)Manyhealthcareprofessionalslikeyouandtheentitiesyou work for also participate in Medicare andMedicaid EHR Incentive Programs BothHIPAAand Meaningful Usersquos complex and time con-suming requirements fall under lsquotheother stuffrsquoonyourtodolist
How this ebook helpsThis ebook covers the overlap between HIPAAand Meaningful Use including two importantsecurity protocols to help protect patient dataThegoalofthisebookistohelpyousavetimemoney andother resourcesby leveraging yourHIPAAcompliancerequirements forMeaningfulUseattestation
How to Leverage HIPAA for Meaningful Use | 4
Share this ebook
What is Meaningful UseThe Centers for Medicare and Medicaid Ser-vices (CMS) created incentive programs com-monly knownasMeaningfulUse toencouragepracticesandhospitalstohandlealltheirrecordselectronically
Eligibleprofessionals(EP)eligiblehospitals(EH)andcriticalaccesshospitals(CAH)canqualifyforMeaningfulUseprogramsYouareonlyallowedtoparticipateinoneincentiveprogramsoifyouqualifyforboththeMedicareandMedicaidEHRIncentiveProgramsyoumustchoosewhichpro-gramtoparticipatein
MeaningfulUseprogramsaredividedintothreestages Each new stage increases requirementsand measures to further practice and hospital
implementationof theirCertifiedEHR Technol-ogy (CEHRT) The CEHRT is the actual systemusedtoelectronicallyhandlePHI
Meaningful Use Basics
Meaningful UseAlphabet SoupCMS = Centers for Medicare and Medicaid Services
EHR = Electronic Health Records
CEHRT = Certified EHR Technology
CQMs = Clinical Quality Measures
EP = Eligible Professional
EH = Eligible Hospitals
CAH = Critical Access Hospitals
NQS Domains = National Quality Strategy Domains
How to Leverage HIPAA for Meaningful Use | 5
Share this ebook
Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation
IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas
Medicaid PaymentsYear1 $21250Year2-6 $8500
Maxpayout $63750
Medicare Payments2011 $437202012 $434802013 $382202014 $23520
Basedontheyearyoustartprogram
Payments for Eligible ProfessionalsTable 1
Table 2
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 4
Share this ebook
What is Meaningful UseThe Centers for Medicare and Medicaid Ser-vices (CMS) created incentive programs com-monly knownasMeaningfulUse toencouragepracticesandhospitalstohandlealltheirrecordselectronically
Eligibleprofessionals(EP)eligiblehospitals(EH)andcriticalaccesshospitals(CAH)canqualifyforMeaningfulUseprogramsYouareonlyallowedtoparticipateinoneincentiveprogramsoifyouqualifyforboththeMedicareandMedicaidEHRIncentiveProgramsyoumustchoosewhichpro-gramtoparticipatein
MeaningfulUseprogramsaredividedintothreestages Each new stage increases requirementsand measures to further practice and hospital
implementationof theirCertifiedEHR Technol-ogy (CEHRT) The CEHRT is the actual systemusedtoelectronicallyhandlePHI
Meaningful Use Basics
Meaningful UseAlphabet SoupCMS = Centers for Medicare and Medicaid Services
EHR = Electronic Health Records
CEHRT = Certified EHR Technology
CQMs = Clinical Quality Measures
EP = Eligible Professional
EH = Eligible Hospitals
CAH = Critical Access Hospitals
NQS Domains = National Quality Strategy Domains
How to Leverage HIPAA for Meaningful Use | 5
Share this ebook
Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation
IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas
Medicaid PaymentsYear1 $21250Year2-6 $8500
Maxpayout $63750
Medicare Payments2011 $437202012 $434802013 $382202014 $23520
Basedontheyearyoustartprogram
Payments for Eligible ProfessionalsTable 1
Table 2
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 5
Share this ebook
Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation
IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas
Medicaid PaymentsYear1 $21250Year2-6 $8500
Maxpayout $63750
Medicare Payments2011 $437202012 $434802013 $382202014 $23520
Basedontheyearyoustartprogram
Payments for Eligible ProfessionalsTable 1
Table 2
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
HowtoLeverageHIPAAforMeaningfulUse|6
Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9
In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT
Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2
Coremeasures 13 17 12 16
Menu measures 5of9 3of6 5 of 10 3of6
Clinicalqualitymeasures 9of64 9of64 All 15 16of29
Table 3
1st year
Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 2 2 3 3 TBD TBD TBD TBD
2012 1 1 2 2 3 3 TBD TBD TBD TBD
2013 1 1 2 2 3 3 TBD TBD TBD
2014 1 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3
Which stage are you inSee which stage you are in based on your program participation start year
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
HowtoLeverageHIPAAforMeaningfulUse|7
Share this ebook
Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures
OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary
andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections
Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 8
managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT
in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable
How encryption works1 Data is entered into the
computer2 Before the data is stored
transmitted it is transformed into unreadable code
3 Only with a special key does the data become readable once again
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
HowtoLeverageHIPAAforMeaningfulUse|9
Share this ebook
Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations
This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 10
Share this ebook
HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule
Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused
Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication
Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach
HIPAA Basics
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 11
HIPAA Surveyby NueMD
In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis
HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis
HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 12
Share this ebook
Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA
Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA
Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity
WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures
Meaningful Use and HIPAA Overlap
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 13
Share this ebook
Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks
Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines
Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting
thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities
Risk Analysis Deep Dive
Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach
Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 14
Share this ebook
Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits
Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan
TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide
Risk Analysis Process
Identify the scope of the analysis
Gather data
Identify and document potential vulnerabilities and threats
Assess current security objectives
Determine the likelihood of threat occurrence
Determine the potential impact of threat occurrence
Determine the level of risk
Identify security objectives and finalize documentation
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
How to Leverage HIPAA for Meaningful Use | 15
Share this ebook
Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity
Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security
Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach
EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave
Remediating Risks Deep Dive
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab
HowtoLeverageHIPAAforMeaningfulUse|16
Share this ebook
Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata
WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata
Conclusion
HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace
Contact us for a free HIPAA compliance consultation
8019956550 I hipaasecuritymetricscom
SecurityMetrics gave me the support and
help to quickly review my HIPAA compliance
A great and easy experiencerdquo
ndash David HuntElevate Fitness and Rehab