I happened to read this article from Information Week Healthcare and was especially interested by this quote reproduced below…
“CHIME also raised the issue of excessive auditing of providers in the Meaningful Use program, which can lead to auditors looking beyond attestation to Meaningful Use. Hickman cited auditors who, according to other CIOs, have pried into whether the use of certified EHRs to protect security complies with the latest HIPAA regulations.”
As we know, the Stage 1 Core objective requires that all providers conduct a security risk analysis of the EHRs (see here for a related post) and have at least an actionable plan to remediate the discovered deficiencies. To that extent, CMS has clarified that this Stage 1 core objective is something that providers should be doing anyway for compliance with the “Required” Security Risk Analysis Implementation Specification in the HIPAA Security Rule.
So, my question is this based on the issue raised by CHIME as quoted in the article. Are the MU auditors really looking for compliance with the HIPAA Security Rule or are they looking for whether the risk analysis was performed as required by the MU core objective? Clearly, within the scope of the MU audits, they should be looking at the procedures and the results of the risk analysis performed before the end of the reporting periods. (See highlighted below and the full CMS document here).
I think though that CHIME’s issue might be with the amount of details and procedures that the auditors may be looking for. In my opinion, a good Security Risk Analysis should evaluate the effectiveness of not just the technical controls implemented in the EHRs but also the related people and process controls. When you put the relevant controls in all the three categories together, it is almost always the case that these controls should (minimally) cover most if not all of the standards and implementation specifications of the HIPAA Security Rule. The HIPAA Security Rule hasn’t been changed in nearly ten years (except making the Business Associates directly responsible in the Omnibus Rule that went into effect in March 2013) and in my opinion, sets a rather low bar for security in today’s world of evolving and advanced threats. So, Security Risk Analysis of an EHR should be a lot more comprehensive in the range of controls as compared to the standards and implementation specifications of the Security Rule (leaving out the risk analysis specification of the Security Rule of course).
This leads me to speculate that CHIME’s issue with the auditors could be somewhat unfounded. I want to highlight “speculate” because I don’t quite know what the auditor(s) in question may have been looking at.
It will be interesting to hear feedback from folks that have some first-hand experience with the MU audits.