Health IT and Electronic Health Activate your FREE membership today |  Log-in

Pabrai on HIPAA/HITECH Compliance

Jul 9 2010   12:11PM GMT

More About Meaningful Use & Compliance

Posted by: Pabrai
CMS, Compliance, HIPAA, HITECH, Meaningful use

The consequence of not complying with HIPAA and HITECH has implications related to Meaningful Use. CMS will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved.  At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve. 


The Importance of Completing a Security Risk Analysis

According to Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it (Healthcare Information Society, February 9, 2010). She further stated, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking.


HIPAA Audit Preparedness Required in Several Areas

In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Other areas that organizations must comply with include Audit Controls, Training, Encryption, Contingency Planning and more. Specifically, IAM processes and capabilities that organizations must review closely for compliance include:

·         Establishing user access for new and existing employees

·         List of secure authentication methods for users authorized to access EPHI

·         Monitoring systems use – authorized and unauthorized

·         Granting, approving, and monitoring systems access (for example, by level, role, and job function)

·         Termination of systems access


Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated. 


Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: