• 1: Home
• 2: Products
  • 2.1: EHR
  • 2.2: Practice Management
  • 2.3: Patient Registry
  • 2.4: VersaForm as a Service
  • 2.5: Feature Comparison
  • 2.6: System Requirements
  • 2.7: Online Demos
• 3: Solutions
  • 3.1: Obgyn
  • 3.2: Electronic Health Records
  • 3.3: Medical Billing Software
  • 3.4: Patient Scheduling
  • 3.5: Billing Services
  • 3.6: Disease Management
  • 3.7: Patient Centered Medical Home
  • 3.8: ARRA Incentives--Meaningful Use
• 4: Incentives
  • 4.1: Meaningful Use Action Plan
  • 4.2: Medicare eRx Penalty
  • 4.3: Use VersaForm to Achieve Meaningful Use
  • 4.4: VersaForm is Certified
  • 4.5: How MU Will Impact Your Practice
  • 4.7: EHR Incentives Timeline
  • 4.8: Meaningful Use
  • 4.9: Calendar
  • 4.10: eRx Bonus Money
• 5: Support
  • 5.1: Online Demos
  • 5.3: VersaForm Help
  • 5.4: FAQ
  • 5.5: Hints & Tips
  • 5.6: Training
  • 5.7: Upgrade Information
  • 5.8: Backup Information
  • 5.9: Tech Support Topics
• 6: Resources
  • 6.1: Articles
  • 6.2: Case Studies
  • 6.3: Additional Resources
  • 6.4: Sitemap
• 7: About
  • 7.1: Contact
  • 7.2: Press
  • 7.3: Resellers

Security Risk Analysis for Meaningful Use

One of the core meaningful use measures is the security risk analysis.

“Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process”

There are no exclusions. The ONC has published a document, the Small Practice Security Guide, which can be helpful.

Here’s how to perform the Security Risk Analysis:

1. Print This Document and Those Linked to

Keep your printout on file, in case of an audit asking you to “prove that you did the security and risk analysis”

2. Conduct a Risk Analysis

Read each item, look at the default VersaForm answers to each question. Add comments if desired (can leave it blank). Sign or initial, and date each.

3. Do a Risk Management Assessment

This has 4 sections. For each section, read each item, look at the default VersaForm answers. Add comments if desired. Sign or initial, and date each item.

4. Implement an Employee Sanction Policy

For guidance, you can use the sample policy.

5. Perform Periodic Information System Activity Reviews

   • Look at the VersaForm audit report. See if there are any irregularities, unauthorized access, or other issues.
   • Fill in a row in the Audit Log, with the date of the review, the name/initials of the reviewer, any findings (e.g. “none”), and actions needed (e.g. “none”).
   • Add a new row with each audit. Weekly is suggested.

At least monthly:

Congratulations!

Once you’ve done this, you can attest to having done a Security Risk Analysis. Keep your printouts in case of audits by CMS later on.

Risk Analysis

Conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Definitions of the terms:

Confidentiality – the property that electronic health information is not made available or disclosed to unauthorized persons or processes.

Integrity – the property that electronic health information have not been altered or destroyed in an unauthorized manner.

Availability – the property that electronic health information is accessible and useable upon demand by an authorized person.

The ONC document lists a series of “Questions to Ask Yourself” for each of these areas – confidentiality, integrity and availability. Reviewing each of these items constitutes good-faith efforts to demonstrate a security risk review, and will stand as evidence supporting attestation of the Meaningful Use criterion. We suggest the practice print out the attachments, check, sign and date them, and keep them for reference.

Open the Risk Analysis page and print it.

Risk Management

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).

The security standard referenced here is as follows:

164.306 - Security Standards: General Rules

(a) General requirements. Covered entities must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

The ONC resource lists a series of “Questions to Ask Yourself” around identifying administrative, physical, and technical safeguards for electronic health information. These have been assembled into several checklists, below. We suggest the practice print out the attachments, check, sign and date them, and keep them for reference.

Open the Risk Management page and print it.

Employee Sanction Policy

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

A practice should create an employee policy with regards to implementing sanctions against any failure to comply with the security policies identified above. The sample Sanction Policy is adapted from a brief published by the American Health Information Management Association (AHIMA) IN 2009.

Open the Sanction Policy Example page and print it.

You can also copy the text on the page, paste it into a document and edit it, if you wish.

Information System Activity Review

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

A practice should periodically review the VersaForm Audit report, and document any findings.

You can create an audit log in a word processor or spreadsheet.

We have a doc file with a sample Audit log that you can download and modify for your use.

---

© Copyright 2008-2011 All Rights Reserved. VersaForm Corporation 591 W. Hamilton Ave., Suite 230, Campbell, CA 95008 (800) 678-1111