The pilot HIPAA program conducted by HHS Office of Civil Rights last year brought to light, the disturbing fact that most healthcare providers did not conduct timely risk assessments. The audits clearly revealed that this specific requirement under the rule was not met by many providers. According to OCR, out of the 115 healthcare entities that were audited during the pilot program in 2012, the most commonly seen weakness was the lack of a thorough and timely risk assessment.

Taking this into account, the tiger team plans to explore methods that will call for greater attention to existing requirements in Stage 3, mainly addressing the question whether self-attestation by healthcare entities is an effective means to ensure that risk assessments are being done, and if so are they being done well. A subgroup of the tiger team is likely to examine the effectiveness of the attestation process itself. The tiger team will continue to investigate how best to ensure security in health information exchange, and the team has scheduled a virtual meet on the 24th of June to discuss matters involving non-targeted queries, and to share experiences in dealing with non-targeted queries.

While Stage 1 of the EHR incentive program emphasized that participants in the program should attest that risk assessment has been conducted, Stage 2, which is set to begin in 2014, will require healthcare providers to further attest that their risk assessment addressed encryption for data at rest, and if the data has not been encrypted they have to document what other methods have been used to protect data. Stage 3 goes one step further to check the reliability and effectiveness of the attestation process.

Healthcare entities should therefore prepare themselves well to meet these changing requirements, and a thorough risk assessment should be the first step in this direction. A comprehensive solution such as Aegify Security Posture Management and Aegify SecureGRC is the need of the hour. With built in capabilities that address all risk assessment and health information security needs, this solution can alleviate pressure, simplify compliance, and in turn facilitate meaningful use of EHR.

The post More Emphasis on Risk Assessments in Stage-3 of Incentive Program appeared first on Aegify.