Posted by: Pabrai
CMS, Compliance, HIPAA, HITECH, Meaningful use
The consequence of not complying with HIPAA and HITECH has implications related to Meaningful Use. CMS will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve.
The Importance of Completing a Security Risk Analysis
According to Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it (Healthcare Information Society, February 9, 2010). She further stated, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking.
HIPAA Audit Preparedness Required in Several Areas
In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Other areas that organizations must comply with include Audit Controls, Training, Encryption, Contingency Planning and more. Specifically, IAM processes and capabilities that organizations must review closely for compliance include:
· Establishing user access for new and existing employees
· List of secure authentication methods for users authorized to access EPHI
· Monitoring systems use – authorized and unauthorized
· Granting, approving, and monitoring systems access (for example, by level, role, and job function)
· Termination of systems access
Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated.