Providers slacking on Meaningful Use risk assessments

Providers hoping to achieve Meaningful Use need to be more diligent about conducting thorough risk assessments annually, a recent report released by CSC Global Healthcare Group maintains.

Under the rules for both Stage 1 and Stage 2 of the electronic health record incentive program, meaningful users must conduct a security risk assessment in accordance with HIPAA's security rule. In addition, any identified deficiencies must be corrected.

However, many providers either are not conducting or reviewing their risk assessments annually, or aren't conducting an assessment rigorous enough to meet the Meaningful Use requirement, report author Jared Rhoads, a senior research specialist with CSC, tells FierceEMR.

The report specifically points out that only 47 percent of large healthcare organizations responding to a survey conducted such assessments. What's more, close to 60 percent of responding organizations said they had no security personnel or resources deployed for such a task, at all. "This will have to change if organizations wish to protect their patients' PHI and participate in the EHR incentive program," the report says.

Says Rhoads: "It's harder than just meeting a measure because it's more open ended. What is a good risk assessment? How do you know when you're compliant? The incentive program language is vague. The designers of the incentive program don't give a lot of information.

"A lot of it is a judgment call," he adds.

The study recommends that providers take key steps to complete meaningful use risk assessments, including using certified EHR technology, including business associates in the evaluation, and securing the whole environment, not just the EHR itself.

To learn more:
- here's CSC report (.pdf)