Health care entities need clear guidance on analyzing risk for meaningful use

There is but a single measure related to security and privacy in the “meaningful use” rules that will be used to determine the eligibility of health care providers to qualify for incentive payments for the adoption of electronic health record (EHR) technology. As currently stated in the Notice of Proposed Rulemaking published in the Federal Register in January, to demonstrate eligibility providers must “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary.” The statutory reference is to a legal requirement originally stated as one of the required administrative safeguards in the HIPAA Security Rule.

The fact that the privacy and security measure is already an obligation under HIPAA should in theory make this particular measure easy to satisfy for HIPAA-covered entities; the HIPAA Security Rule has been in force since April 2003, and the deadline for entities to fully comply with the rule elapsed in April 2006. Despite this requirement, however, not all healthcare organizations comply:  the results of a 2009 security survey  of 196 senior-level healthcare professionals conducted by the Healthcare Information Management and Systems Society (HIMSS) found that only 74 percent of these organizations actually perform risk analyses, and of those just over  half (55 percent) do so with at least annual frequency.

If an organization does not conduct risk analyses, or does but is concerned that the process may not be sufficiently to comply with meaningful use, what would be most helpful would be for guidance to be provided on just what is required or what should be covered in a risk analysis. The government tends to direct entities to guidance from NIST—specifically its Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule—and CMS’ Security Rule Education Paper Series, especially number 6 in the series, Basics of Risk Analysis and Risk Management. Both of these rely heavily on another NIST document, Special Publication 800-30, Risk Management Guide for Information Technology Systems, for the overall process to be followed.

For those preferring to seek guidance outside the U.S. federal standards, the ISO/IEC 27000 series of international standards covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005, Information Security Risk Management, and the risk assessment section of ISO/IEC 27002, Code of Practice for Information Security Management. Anyone looking to follow any of this guidance on risk management or performing risk analyses should be aware that substantially all of the guidance is written in a way that focuses on risk assessments of individual information systems, not on organizations overall. This limitation is important because the risk analysis requirement under the HIPAA Security Rule is not limited to systems used by covered entities, but instead focuses on the protected health information. Organizations looking for more enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000, Risk Management—Principles and Guidelines, within major IT governance frameworks such as ISACA’s Risk IT Framework based on COBIT^®, or the Risk Management section of the Information Technology Infrastructure Library (ITIL^®).