December 31st is fast approaching and if your healthcare organization hasn’t completed your Meaningful Use Risk Assessment for 2013 you’d better get busy. If you miss the deadline, you may have to return a full year of EHR (Electronic Health Record) incentive payments.
Your EHR or EHR components must meet the standards set by the Office of National Coordinator for Health Information Technology (ONC). An up-to-date list is posted on the ONC’s website at: http://oncchpl.force.com/ehrcert
To receive EHR incentive payments, you must demonstrate that you have met the criteria for the EHR Incentive Program’s privacy and security objective and ensure adequate privacy and correct any identified deficiencies. Plus a Meaningful Use Risk Assessment must be conducted at least once prior to the beginning of an EHR reporting period (annually).
The EHR Incentive Program and the HIPAA Security Rule don’t mandate how the risk assessment should be done. This is left up to you. Below are commonly recommended steps for performing an assessment:
- Identify the scope of the analysis
- Gather data
- Identify and document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Determine in the level of risk
- Identify security measure and finalize documentation
- Develop and implement a risk management plan
- Implement security measures
- Evaluate and maintain security measures
You will need to attest to CMS (Centers for Medicare and Medicaid) or your State that you have conducted the Assessment and have taken any corrective actions to eliminate the security deficiency or deficiencies identified in the Risk Assessment.
Tech Officers is working around the clock to ensure assessments are performed, so be sure your Risk Assessment is completed by December 31, 2013. For more information call us at (415) 963-9900 or email us immediately at firstname.lastname@example.org.