Physicians participating in the electronic health record (EHR) incentive program must comply with meaningful use measures. One of the measures requires physicians to "protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities."
The rule requires physicians to "conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
The Office of the National Coordinator (ONC) oversees compliance with the meaningful use incentive program and offers a tool to help practices comply with the security risk analysis. The tool gives instructions as well as forms that can be filled in by the physician or designated HIPAA officer.
The purpose of a risk assessment is to identify conditions where electronic protected health information (EPHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is used to make risk management decisions on the reasonable and appropriate safeguards needed to reduce risk to an acceptable level. This tool provides helpful information, but does not guarantee HIPAA or meaningful use compliance. The practice must ensure that appropriate policies and procedures are always followed and that the requirements of the specific rules are satisfied.
TMA recognizes the complexities of compliance with the federal EHR incentive program and encourages physicians to contact their local regional extension center (REC), which the ONC established to help with program compliance. The RECs can help all physicians. Details about the REC program are available on TMA's Regional Extension Center Resource Center.
For more information, call the TMA Health Information Technology Department at (800) 880-5720 or email HIT@texmed.org.
Action, Oct. 15, 2012