The HIPAA Act of 1996 created the first rule to protect electronic health information. In 2009, the HITECH Act expanded those rules to business associates. And then, in 2009 when the American Reinvestment and Recovery Act (ARRA), also known as Meaningful Use, was implemented, the importance of how to protect electronic health information started to gain more structure.

The program stated that each organization must perform a Risk Analysis that:

  • Evaluates the likelihood and impact of ePHI risks.
  • Implement appropriate security measures to address risks.
  • Document the chosen security measures.
  • Maintain continuous, reasonable, and appropriate security protections.

In order to obtain meaningful use funds, an organization must attest that the Risk Analysis has been completed and meet the specific program standards and EHR criteria. In addition to the analysis, the organization must document ongoing Risk Analysis that:

  • Regularly reviews the access to ePHI.
  • Reviews the ability to detect security incidents.
  • Periodically evaluate the effectiveness of security measures.
  • Reevaluate potential risks to ePHI.

A sampling of attestations was audited where the organization needed to provide documentation that those processes were completed. If the documentation was not completed, then the organization was required to return the funds.

This happened…When a small community hospital did not complete a small portion of the document, they were asked to return over $500,000 in funds, which was a detrimental loss to the hospital.

The HIPAA regulations also state that an organization must “periodically evaluate the effectiveness of security measures.” OCR audits and oversight have requested organizations to provide documentation annually to these measures. For these reasons, BlueOrange Compliance recommends that an annual assessment be completed along with a process to document (between assessments) the plans for meeting assessment deficiencies.  For organizations that have achieved a 70% or better maturity, BlueOrange has developed a three-year program to keep costs lower.