Meaningful Use requires both compliance to HIPAA Privacy and Security and compliance with HITECH Act safeguards.
The HIPAA Security Rule§ 164.316(b)(1) requires HIPAA covered entities to
“Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
HIPAA Covered Entities must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
The HITECH Act, which was enacted as part of ARRA, promotes the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information. While the HITECH Act mirrors HIPAA, it elaborates with specific requirements including:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational, Policies and Procedures and Documentation Requirements
For example, §170.302(o) Access control requires that HIPAA covered entities assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.
If your firm is audited with respect to a Meaningful Use Attestation you will need to provide, among other documents:
- Documentation including budgets for HIPAA privacy and security risk analysis
- Meaningful Use reports from CEHRT (certified E.H.R. technology) and screen shots
- Documentation from the certified E.H.R. vendor
- Clinical quality measure information
If your firm has proof of exclusion from any measure that must be provided as well, though there are no exclusions for HIPAA security or HITECH Act Safeguards.
Policies and procedures must :
“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”
Eligible hospitals and CAHs must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.
Eligible hospitals and CAHs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR. If there are any changes in your E.H.R. or security infrastructure, ensure that you document updated risk assessments.