[ Monday, November 22, 2010 ]
One of the requirements for "meaningful use" of EHRs (which all providers are going to have to show at some point or they'll take lower Medicare/Medicaid reimbursement) is that the provider regularly assess its data security risks
. This is also a requirement of the HIPAA Security Rule -- in fact, based on what I've discovered when helping clients meet the HITECH requirements, it's probably the most consistently missed HIPAA requirement.
If you haven't done a risk analysis, you're in violation of the HIPAA Security Rule, plain and simple. If you did one back in 2003 - 2005 before the Security Rule came into play, then you should be consistently redoing it. And if you're not, you might not meet the "meaningful use" rules, either.
Jeff [9:18 AM]
Blogger: HIPAA Blog - Edit your Template