How do Meaningful Use requirements overlap with HIPAA compliance requirements?
 |
| By: Tod Ferran |
If you’d like a more comprehensive dive into the relationship between Meaningful Use and HIPAA, watch this recorded presentation.
Let me quickly answer some common questions healthcare providers have about Meaningful Use and HIPAA.
First, let’s talk about Meaningful Use attestation vs. HIPAA compliance:Will Meaningful Use attestation count for HIPAA compliance? NO.
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with the entire patient data process. There are many additional aspects required for full HIPAA compliance, and as a note, using a cloud-based EHR does not absolve you of HIPAA requirements.
Will HIPAA compliance count for Meaningful Use attestation? NO.
Both HIPAA and Meaningful Use are concerned with identifying potential security risks. Both require a risk analysis. But the similarities end there. In reality, the overlap between the two is pretty small.
Now let’s talk about your risk analysis:
Will my HIPAA risk analysis cover my Meaningful Use risk analysis? YES.
As long as you’ve done a ‘complete and thorough’ job on your HIPAA risk analysis, it should cover your Meaningful Use risk analysis. If your HIPAA risk analysis is not complete and thorough, not only will it fail your Meaningful Use risk analysis, but will also not be an acceptable HIPAA risk analysis. It’s nearly impossible to perform a proper ‘complete and thorough’ HIPAA risk analysis without some outside security assistance.
Will my Meaningful Use risk analysis cover my HIPAA risk analysis? NO.
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with your entire patient data process. A Meaningful Use risk analysis would only cover a very small part of a HIPAA risk analysis. We’ll discuss this in more detail later.
SEE ALSO: The Most Common Questions About HIPAA, Answered
Similarities between HIPAA and Meaningful Use
Both HIPAA and Meaningful Use require you to correct security problems as part of your risk management process. Both also require a risk analysis and Risk Management Plan. A risk analysis helps you measure, rank, and prioritize risks to your protected health information (PHI), while a Risk Management Plan works through the issues discovered in the risk analysis, and documents that you acknowledge and are working to correct those risks.Need help with your risk analysis or risk management plan?
When the HHS comes in to do a HIPAA audit or investigation, if you have completed a risk analysis and show demonstrable progress on your Risk Management Plan, they go a lot easier on you.
SEE ALSO: What to Expect with Upcoming HHS Audits
Differences between HIPAA and Meaningful Use
A Meaningful Use risk analysis is:- Only concerned with risk of your EHR
- Only required for those participating in Meaningful Use
- Only updated twice (Stage 1 and Stage 2 reporting, so far)
- Concerned with the risks of the entire PHI environment (that means the EHR, email encryption, electronic records, paper records, Internet, business associates, servers, workstations, physical security, intake procedures, etc.)
- Required of all covered entities and business associates
- Reviewed and updated on a periodic basis (typically annually)
Synopsis
Meaningful Use and HIPAA are distinctly separate requirements that aren’t that similar after all.Not only is HIPAA compliance required, but it is also considered security best practice throughout the healthcare industry. If you already have a HIPAA compliance program, congratulations! Your risk analysis (if completed) may be a core requirement of Meaningful Use! If you haven’t started on HIPAA compliance yet, this is a great time to start a HIPAA program and kill two birds with one stone!Tweet
TweetWant help starting your HIPAA program?
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plansupport, and performs HIPAA and PCI compliance audits. Check out his other blog posts.
