The need for periodic risk assessments in healthcare will get continued emphasis as federal advisers are now considering options for reinforcing its importance in Stage 3 of the EHR Incentive Program under the HITECH Act. While the HIT Policy Committee recently asked its Privacy and Security Tiger Team to consider security rule provisions to be highlighted in the attestation requirements, the tiger team is considering options for boosting awareness about the importance of risk assessments in Stage 3.
The pilot HIPAA program conducted by HHS Office of Civil Rights last year brought to light, the disturbing fact that most healthcare providers did not conduct timely risk assessments. The audits clearly revealed that this specific requirement under the rule was not met by many providers. According to OCR, out of the 115 healthcare entities that were audited during the pilot program in 2012, the most commonly seen weakness was the lack of a thorough and timely risk assessment.
Taking this into account, the tiger team plans to explore methods that will call for greater attention to existing requirements in Stage 3, mainly addressing the question whether self-attestation by healthcare entities is an effective means to ensure that risk assessments are being done, and if so are they being done well. A subgroup of the tiger team is likely to examine the effectiveness of the attestation process itself. The tiger team will continue to investigate how best to ensure security in health information exchange, and the team has scheduled a virtual meet on the 24th of June to discuss matters involving non-targeted queries, and to share experiences in dealing with non-targeted queries.
While Stage 1 of the EHR incentive program emphasized that participants in the program should attest that risk assessment has been conducted, Stage 2, which is set to begin in 2014, will require healthcare providers to further attest that their risk assessment addressed encryption for data at rest, and if the data has not been encrypted they have to document what other methods have been used to protect data. Stage 3 goes one step further to check the reliability and effectiveness of the attestation process.
Healthcare entities should therefore prepare themselves well to meet these changing requirements, and a thorough risk assessment should be the first step in this direction. A comprehensive solution such as Aegify Security Posture Management and Aegify SecureGRC is the need of the hour. With built in capabilities that address all risk assessment and health information security needs, this solution can alleviate pressure, simplify compliance, and in turn facilitate meaningful use of EHR.