Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

Aug 8 2012   7:00AM GMT

Capitalizing on HIPAA risk assessments

Posted by: Jenny Laurello
EHR, HIPAA, HIPAA Risks, Meaningful use, meaningful use stage 2, MU

Guest post by: Ruby Raley, Director, Healthcare Solutions, Axway

We can do more than merely speculate on how the new ONC guidance for Meaningful Use Stage 2 (MUS2) will affect our plans and goals.

In fact, we can actually put ourselves in a good position to incorporate the guidance into our plans and goals regardless of how many of the MUS2 menu options our teams ultimately choose.

Here’s how.

A quick, top-level assessment of MUS2 shows that 40 percent of its requirements will require healthcare providers to:

  • 1. Demonstrate that they can exchange clinical information with those outside their organization;
  • 2. Show strengthened privacy and security around protected health records; and
  • 3. Conduct HIPAA risk assessments (OCR is, indeed, proceeding with HIPAA Audits, pHIP though apparently not at a worrisome pace)

I believe that by taking the initiative with item 3 and conducting our own HIPAA risk assessments based on the NIST guidance, we can actually get immediate, instructive value from the guidance as we prepare for MUS2.

Think of your organization as a house. As the custodian, you identify vulnerabilities and threats by walking around the house’s perimeter and looking for ways unauthorized personnel might get inside.

But your evaluation of vulnerabilities and threats doesn’t end there: perhaps you also notice whether or not your attic is insulated for the winter, or whether you should conceal wires from squirrels who might be tempted to chew on them.

Similarly, assessing your HIPAA risks involves more than simply looking for ways hackers might steal or expose your organization’s health records. It involves looking for all vulnerabilities in your organization, including bad guys riffling through your unshredded wastepaper trash, employees absent-mindedly emailing unencrypted records, and the possibility of floods ruining your servers in the basement.

Once you’ve created your list of concerns, you should map that list to your security policies and ask yourself whether those policies will adequately protect your organization.

“Fine,” you then say. “My house is now in order. But how am I supposed to exchange data with others and still comply with MUS2?”

First, identify a common door; that is, build out a central gateway and channel through which information will flow.

Next, devise a plan to build a configurable gateway that will limit risk and ensure health information exchange – all exchange of clinical records – is standardized and governed. It is essential that each new connection to the outside world is executed quickly and easily via a policy-aligned process that uses configurable software.

Finally, ensure that you can monitor all data movement, and that your monitoring capabilities include the ability to provide key decision-makers with governed information about all of that data flow.

The new ONC guidance for MUS2 will affect our plans and goals in some significant ways, but we don’t need to think of it as a burden. Instead, let’s think of it as an advantage, one that prompts us to avoid the financial liabilities of a data breach (from which we may eventually recover) and minimize the possibility of damage to our organizations’ reputations (from which we may never recover).

For more information, please visit

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: