The HITECH Act reimburses providers up to $44,000 under Medicare or $64,000 under Medicaid for purchasing and implementing a certified Electronic Health Record (EHR) system. Because the government is spending so much money, they have a vested interest in making sure providers are following the rules properly. Chief Privacy Officer at the Office of the National Coordinator of Health IT announced 10% of Meaningful Use recipients will be audited.
Meaningful Use core item 15 requires providers to conduct or review a security risk assessment as per HIPAA law. Providers can address all of the Meaningful Use requirements directly through their EHR except item 15, the risk assessment. As a result, it tends to get over looked or set on the back burner during attestation.
Providers who neglect to complete a risk assessment, or perform an inadequate assessment may be at risk for losing their reimbursement. NIST 800-30 is the industry standard for risk assessments. Be sure to ask your vendor if their risk assessment includes the 800-30 protocols. Otherwise it may not be thorough enough to satisfy HIPAA and Meaningful Use requirements.
We partner with ACR2 Solutions to provide our risk assessments. Their web-based product uses NIST 800-30 protocols, accepts log files from UTM systems, and vulnerability scanner results. Please contact us at firstname.lastname@example.org if you would like help conducting a risk assessment.