Saying "Yes" for Meaningful Use is Way Too Easy

/
iStock_UhOhSign_XSmall.jpg

In all the frenzy to chase meaningful use (MU) stage one dollars, there's one major concern that I have seen.  Core objective #15 is too easy to say "Yes" to.  Most of the MU Core Objectives require some attestation information or stats.  But not #15…simply say "yes" or "no".  Say no, and you don't get the dollars. 

It seems that a number of folks glaze right over this one with a perspective like, "Yeah, we're securing our network with passwords, antivirus and such…so sure, we're good on #15".  Or, they believe that by having performed some semblance of a risk analysis, they're all set.  I am sorry to say, if you're in one of these categories, you're likely treading on some very thin ice and flirting with something called fraud. 

It's a Process, Not a Destination

Core measure #15 is not just asking if you are using technology to secure your ePHI.  Nor is it just asking if you have performed a risk analysis.  It's essentially asking if you have implemented (seriously implemented) the Security Management Process (SMP) that is outlined and required by 164.308(a)(1), the first standard of the HIPAA Security Rule.  The SMP is not some one-time task you can knock out in an afternoon.  It's an intentional approach to managing the risks effecting, or potentially effecting, your ePHI by:

  • Identifying those risks and potential solutions (164.308(a)(1)(ii)(A) - Risk Analysis),
  • Selecting and implementing solutions to reduce or eliminate the most probable and impactful risks (164.308(a)(1)(ii)(B) - Risk Management),
  • Establishing a culture of compliance in your workforce, and providing for appropriate sanctions for non-compliant actions and/behavior (164.308(a)(1)(ii)(C) - Sanction Policy), and
  • Regularly reviewing reports and activity for signs of improper use or disclosure of ePHI (164.308(a)(1)(ii)(D)  - Information System Activity Review).

Since the risk environment is constantly evolving, these steps are intended to be an ongoing process, not a "one and done" check list.  Now, that can sound overwhelming, especially when you consider that it is only one of the 22 standards in the HIPAA Security Rule.  But in practice, it doesn't have to be that way.  See, most everything in the Security Rule, especially the SMP standard, are things you should be doing anyway if you want to safeguard your business from external and internal threats. 

If you're attesting for MU, and this is the first time you've looked into the SMP requirement, it certainly can be overwhelming to consider what it will take to get "caught up".  But start now.  Eat the elephant one bite at a time, as they say.  It is a process, not so much a destination…so start the process.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.

 Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / 1 Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.