Given that a misrepresentation of the facts during attestation could result in civil and criminal penalties, what does a health care executive need to feel comfortable about before signing on the dotted line?
Since the meaningful use objective for security and privacy requires a HIPAA Security Rule-based risk analysis, we know the examination must include scoping, data collection, identification and documentation of potential threats and vulnerabilities, as well as an assessment of current security measures.
To achieve this, scope the assessment to the electronic health record (EHR) technology implemented to support “meaningful use,” defined as achieveing large improvements in care. Ensure you address only those general (organizational) controls that impact the confidentiality, integrity and availability of the electronic-protected health information electronic personal health information (ePHI) contained in the system. Include only relevant applications, interfaces and infrastructure within the system scope. Examples include all servers that run any module of the certified EHR; the wide and local area networks connected to the EHR; system interfaces, end-user devices and vendors with access to ePHI in the EHR system; and people, processes, policies and standards related to their control.
When assessing, try to focus on high-risk areas, which can be determined by examining recent breach data, and conduct a top-down control analysis. Collect only enough information to support your assessment of a control’s effectiveness and then move on. It doesn’t take much to determine if a control is absent or not working as intended.
Also, formally report control deficiencies and corrective action plans to executive management. Failure to take reasonable and appropriate measures to remediate identified deficiencies is contrary to the intent of the HIPAA Security Rule and could make an entity subject to penalties for making false statements during attestation. Further, track your control status and remediation progress against industry benchmarks, which also helps determine the relative priority of various corrective actions. Too, consider using a health care-specific assessment methodology which incorporates these recommendations.
Obtain and use a governance, risk and compliance tool to manage the workflow associated with assessment and remediation, retain assessment data and provide automated reporting.
And, above all, make sure the executive attesting to meaningful use is kept informed about ongoing risks, control updates and remediation status. It is their signature on the dotted line.
There are some basic guidelines to consider when shopping for an assessment, says Bryan Cline. First, make sure the methodology demonstrates reasonable practices.
To achieve that, it is vital to select a sound risk assessment methodology that aligns control decisions with industry standards and best practices, he says.
»Serious efforts needed
Assessments should be efficient, as well. “Meaningful use” focuses on certified EHR systems. Use sampling techniques for similar facilities and take remediation seriously.
»Managing the portfolio
This can be done by developing sound corrective action plans, but don’t over- or undercommit, says Cline. Instead, actively manage remediation as a portfolio of initiatives.