Security Requirements and Meaningful Use - Top 5 Key Takeaways For the Healthcare Industry

When it comes to HITECH, many security professionals think immediately of the impact that HITECH has had on topics like breach disclosure and expansion of HIPAA security and privacy requirements to business associates. And while these topics are certainly important, the impact that meaningful use has had on the industry should not be overlooked. Specifically, meaningful use is making tremendous waves in the healthcare space – especially from an information security point of view.

Healthcare providers of course feel this impact most directly since they are the ones who are being called to task to make sure that they address security and privacy as one of the 15 core phase one requirements. In other words, because providers are required to specifically address security as part of establishing that they are using certified EHR (electronic health record) products in a meaningful way, security is receiving perhaps more attention in the past year and a half than it has since HIPAA went into effect. And while it does impact providers directly, it also behooves everyone in the healthcare ecosystem (from payers to business associates to software vendors) to understand what meaningful use is, how it impacts HIT (health information technology), and – most importantly – how regulatory guidance and adoption by providers impacts health information management from a security standpoint.

Meaningful use is, of course, a complicated topic. However, there are a few key points that everyone should have on their radar; they are:

1. Know where provider-specific requirements are outlined

Many providers struggle with what specifically HHS intends with respect to the security requirements for meaningful use are located. For providers struggling with this, it’s useful for them to read through HHS rulemaking 42 CFR Parts 412, 413, 422 et al (Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule). This document, specifically 42 CFR §495.6(d)(15)(ii) and 42 CFR §495.6(f)(14)(ii) outline the specific details of what providers need to do to address security as part of their plan for making use of EHR technology. Specifically, the rule requires that providers “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”

2. Evaluate what that means to your program

This requirement on its face has a direct impact to providers: it requires that they expand their risk management program to address the EHR deployment. But it has a few implications as well: specifically, it implies that they are already compliant with the HIPAA Security Rule (not always a given) and also that the provider is doing risk assessment (the section of the HIPAA security rule that 45 CFR 164.308(a)(1) refers to) in the manner that HHS intends. These two points have proven challenging for many providers historically. The intention of HHS relative to risk assessment -- for example as outlined in their risk assessment guidance (“Guidance on Risk Analysis Requirements under the HIPAA Security Rule”) is a formal risk assessment process that’s ongoing, documented, and thorough. Formal risk analysis is not something that many organizations do well, so for providers wishing to meet the intent of this requirement, it behooves them to review the risk assessment guidance and evaluate how their current program does (or doesn’t) meet the rigor documented by HHS.

3. Read both rules

The temptation for many providers is to read through the meaningful use final rule and stop there. However, it’s also valuable for providers to understand what security features vendors are specifically required to provide as part of EHR certification. 45 CFR Part 170 (Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule) outlines what security features are must haves for EHR systems. Specifically, sections in § 170.302 and § 170.310 (“General certification criteria for Complete EHRs or EHR Modules” and “Standards for health information technology to protect electronic health information created, maintained, and exchanged” respectively) outline the specific security requirements for certified EHR systems.

Now keep in mind that many institutional providers (hospitals, health systems) will already have EMR systems that contain much of the same code – and potentially much of the same functionality – as these EHR products. Some of the requirements for these product vendors (integrity controls, encryption controls, access and audit records) can directly forward historically problematic areas in a clinical environment. So it’s valuable to understand what vendors are being called upon to provide as part of this change in industry direction.

4. Engage your vendors

After reading through the certification final rule, it’s useful to have a discussion with your vendor(s) about how they implement the required functionality. Many providers have struggled with “addressable” implementation specifications in the HIPAA security rule. Because “addressable” controls provide leeway for a provider to address them over time, many providers assume “addressable” is the same as “optional”. Nothing can be further from the truth. HHS outlines in their FAQ (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html) that addressable controls require supporting documentation (decision-making processes, justification, and risk assessment) to support a decision not to implement the control fully. This bar has proved challenging for many providers. But the requirement by HHS for support of these controls in certified EHR products can represent an opportunity for providers that have historically not implemented these addressable implementation specifications.

5. Leverage investments

It’s helpful for providers to keep in mind that investments made as part of meaningful use – particularly that portion of spending that intersects the HIT environment – can benefit directly the security and compliance posture of the organization when done with the involvement of an astute, prepared, and involved security organization. Therefore, it’s helpful for security personnel to become – and stay – involved in the direction of the provider from a security standpoint. This is particularly important for large institutional providers. Keep abreast of investments your organization is making and stay alert for opportunities to revisit known problematic areas. Risk assessment and addressable controls are certainly areas for particular attention since they’re directly addressed by HHS, but keep in mind that there could be other areas of opportunity as well.

Want to learn more? Review Ed Moyle's presentation on Security and Meaningful Use here:
http://www.iansresearch.com/research/governance-risk-compliance/regulati...