Final HITECH Act Stage 3 Meaningful Use Rules May Require Annual Risk Analysis plus a Risk Management Component

June 03, 2015, Andrew Hicks, Managing Principal, Coalfire

The comments are in and the HHS is scrambling to review them all before they issue the final Stage 3 Meaningful Use rules later this summer.  Comments from entities such as CHIME and HIMSS represent good news and bad news for healthcare providers, depending on how you look at it.  The HIPAA Security Rule has always required a risk analysis, but now there could be an annual requirement for risk analyses.
It’s simply too risky to have a ‘point-in-time’ risk analysis that often addresses risk for up to three years or more for many organizations.  And even riskier is to conduct a baseline risk analysis and not follow through with the risk management component that addresses the identified risks.  The other issue brought up in the comments is how healthcare providers are only doing the ‘bare minimum’ when it comes to risk analysis and the final rules should provide guidance on what an acceptable baseline is for a security risk analysis.
Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018 and in January 2018, healthcare providers are required to have a certified EHR system in place or they’ll face financial penalties.  So perhaps the CMS will reach middle ground on this risk analysis issue by providing a mandate that requires providers to conduct a risk analysis only at the time of EHR technology installation or when a new version of the technology is implemented.
Stage 3 allows healthcare providers to qualify for an additional incentive by achieving a proposed new list of objectives.  One of these proposed requirements is a risk assessment.  It states that healthcare providers must conduct a risk assessment that specifically looks at risk to information maintained by their certified EHR technology.
The language in the HHS proposed rule says this, “The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in the certified EHR technology.”  CHIME said that while they agree with the need to safeguard ePHI, they think that providers will be confused by the timing for assessments or reviews.  But with all due respect, what’s so confusing about requiring an annual assessment in the same way that PCI and FedRAMP regulations require them?
It may need to get even more stringent by not only requiring an annual risk assessment, but also issuing a mandate to use a third-party assessor organization to conduct the assessment given that providers seem to be doing the bare minimum when actually a far more thorough risk analysis is needed.  They could also add a continuous monitoring mandate to the rule, who knows?
In any case, with the fast-growing healthcare ecosystem, there’s data all over the place including the EHR technology, so there’s certainly a need for more thorough risk assessments conducted more often than every three years.  Perhaps this is why we’ve seen a huge demand in the past six months for HITRUST assessments and certifications from both BAs and CEs – it’s truly the only risk framework that fills the need described in the final Stage 3 rule for providers.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics