Meaningful Use, HIPAA and Security Risk Analysis

Meaningful Use Core Measure for HIPAA Risk Analysis

Pete Niner
Director, Techumen

A couple weeks back we asked Pete Niner of Techumen to join us on one of our MU Live! webcasts to talk specifically about the meaningful use core measure related to security risk analysis. Not surprising, we had a number of questions from our member audience. Here’s a rundown of the few of the questions Pete fielded.

Q: What is the status of the Final Rule?
A:  By  “Final Rule”, most mean “Stage 1 Criteria for Meaningful Use”, just to clarify.  The Stage 1 meaningful use criteria were finalized on 7/16/2010 and published in the Federal Register on July 28, 2010.  Attestation for the Medicare EHR Incentive Program began April 18th and the first payments went out in May. Looking to the future, the draft stage 2 definitions were released on Jan 12, 2011.  The public comment period ended on Feb 25th.  CMS will publish their proposed rules for Stage 2 either by the end of this year or early in 2012, and go into effect next summer. So far, no additional security measures are proposed for Stage 2 Meaningful Use.

Q: Can you clarify the meaningful use objective pertaining to Risk Analysis?
A: There are three points: perform a security risk analysis, apply security updates as needed, and remediate any problems that the risk analysis discovers.

Q: Is there any difference between the requirement of Core Measure 15 and existing HIPAA regulations  that providers and practices should have been compliant with over the past 5 years?
A: No. CMS has stated that they’re not using the meaningful use criteria to introduce any new security requirements.  So, this should be nothing new to anyone. Performing a security risk analysis is required by the HIPAA Security Rule, as is “Apply security updates as needed” – both of those are administrative safeguards in the Security Rule. The requirement to remediate any problems means that if you do find some problems, you can’t ignore them and have to do something about them.

Q: What is the minimum threshold or minimum benchmarks EPs and EHs need to look at?
A: , It’s a yes/no attestation – either you’ve done this or you haven’t.

Q: What risk assessment tools that would satisfy Core Measure 15 requirement are publically available?
A: Neither the Security Rule nor CMS prescribe a specific risk analysis methodology.  That said, the NIST has a document out that CMS refers to frequently, called NIST Special Publication 800-30 “Risk Management Guide for Information Technology Systems”, which spells out a methodology.  800-30 is useful because it’s technology-independent and can scale to fit any size organization.  OCR also has some guidance on their website. As for actual tools, the only one you need is Word.  Document what you did, the estimates and assumptions you made, the methodology you followed, and the threats, vulnerabilities, likelihoods, risks, and controls you analyzed.

Q: Does the requirement to “correct identified security deficiencies as part of its risk management process” mean that before you can reach meaningful use you have to correct all deficiencies?
A: There is no guidance from CMS on just what “correct” means.  KPMG was awarded a contract a few weeks ago to develop the audit plans, so that is a work in progress.  So the following is only an unofficial interpretation. Yes, you need to fix deficiencies.  However, if you have a good plan in place and can show action on it, you’ll be better off than many for an audit.  Secondly, there are many ways to fix deficiencies. While you are implementing a permanent technical fix, you can add additional manual or process controls to bridge the gap until it’s in place – such as more frequent log file review, extra levels of approval, onetime password for unencrypted transmissions, that sort of thing.  So while you are working on the permanent fix, you can add some temporary ones to correct the deficiencies in the meantime.

Q: Is there any evidence that HHS will adopt the HITRUST Common Security Framework as their HIPAA Certification standard?
A: No, they will not.  As mentioned above, HHS does not recommend a specific methodology.  In the odd event they do, it will be a public one such as the NIST framework mentioned earlier, and not a private one with a hefty price tag attached.

Q: Do EHR vendors play a role in this measure and if yes, what?
A: This is the only core measure that cannot be provided by the EHR system; as such, it is entirely up to the EP or EH to perform.

Q: This is an “attestation only” measure. What documentation should a practice submit to CMS (if any)? what documentation should be kept on file?
A: As it is an “attestation only” measure, no documentation needs to be submitted.  In case of an audit, you should retain the risk analysis report, a review history, and the agreed-upon corrective actions that you’ll take.

Pete Niner is a Director at Techumen, and has over 12 years’ experience in the information technology and security field, with particular focus on the healthcare, telecom, and financial industries. Pete has a B.S. from the University of Pennsylvania’s Wharton School and is a Certified Information Systems Security Professional. Contact him at

Are you a vendor, consultant or IT service provider? Place a listing in our Health IT Marketplace.