Risk Assessment and Meaningful Use: Myths and Reality, Part 2

The Meaningful Use rules in both Stage 1 and Stage 2 require providers to conduct a security risk assessment for their EHR, as described and required in the HIPAA Security Rule.  However, several of our security colleagues have faced questions from providers as to both the need and the scope of the risk assessment to be conducted as part of the Meaningful Use activities.  In fact, some providers are assuming that the only risk assessment that needs to be conducted is a limited assessment of the EHR, whether or not they have ever conducted a risk assessment for their organization. With the average cost of a data breach in America for a large organization estimated to be approximately $5.4 million, we would suggest this is a risk worth managing.

We recently interviewed some experts in this area to explain the issues around risk assessments and meaningful use. They included Carolyn Hartley, Susan Schulte, Jeff Sobotka and Chris Johnson. Part one of this interview was published in last month’s Business Edge.  We conclude this two part series with details about the inclusion of the security risk analysis in the EHR Meaningful Use (MU) program.

Susan, what is the difference between security risk analysis for Meaningful Use (MU) and HIPAA?
Risk Analysis is the backbone of the HIPAA Privacy Rule/Heath Information Technology for Economic and Clinical Health (HITECH) Act; it is currently gaining notoriety from the association with Meaningful Use as a Core Measure to be met to ‘successfully’ prove MU of an electronic medical record (EMR)/electronic health record (EHR).

If you run a compliant HIPAA Security Risk Analysis (SRA) to satisfy the Risk Analysis Requirements under the OCR-HITECH Act, (45 C.F.R. §§ 164.302 – 318.), it will satisfy the requirement for Meaningful Use Security Risk Assessment (SRA) (45 C.F.R. §§ 164.308(a)(1)).

However, if you run a SRA per MU it will NOT satisfy all of the requirements for a compliant HIPAA SRA; it is only one measure in a series of actions to provide documentation and insure security of electronic patient health information.

In summary, MU SRA is a way for federal agencies to overlap and strengthen support of the HIPAA HITECH Privacy and Security Risk Rule.

SRA is becoming a recognized term and challenge in healthcare, a necessary action to be performed as part of operating a compliant medical practice.

Jeff, what are the Meaningful Use requirements for risk assessment?
In Stage 1 and 2, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates as necessary and correct identified security deficiencies as part of its risk management process. For Stage 2, eligible professionals need to meet the security risk analysis requirements and must also address the encryption/security of data at rest. 

A security risk analysis needs to be conducted or reviewed during each reporting period for Stage 1 and Stage 2. 


  • Review the existing security infrastructure in your medical practice against legal requirements and industry best practices.
  • Identify potential threats to patient privacy and security and assesses the impact on the confidentiality, integrity and availability of your e-PHI.
  • Prioritize risks based on the severity of their impact on your patients and practice.

The new requirements for Stage 2 are the same requirements for Stage 1 except for addressing data at rest. 

Carolyn, if you’ve not done a risk analysis but said you were a meaningful user and obtained incentive funds, what should you be doing?
1) Make friends with a health law attorney. If you attested “yes” to having completed an SRA, received MU funds, but later discover a SRA is not in place, you will need a legal strategist to advise your board of directors how to return the funds and minimize penalties. Don’t put this off hoping not to be discovered.

2) Show good faith. If you didn’t complete a SRA in 2005 or any year subsequent to the HIPAA Security Rule’s enforcement date, the next best time is now. Identify your risks using a risk assessment tool.

3) Expect to be audited. The Office of Civil Rights (OCR) found that audits are a more effective compliance tool than responding to complaints. Providers are more likely to protect health information if training and penalties are top of mind. Of the covered entities included in OCR’s 2011-2012 security audits, 53% of hospitals and 65% of providers failed the security audit; 20 of 35 health plans demonstrated incomplete or inaccurate risk assessments. The combined data helped inform OCR on its enforcement strategies. On the heels of security audits’ success, OCR will roll out privacy audits in 2014-2015

Jeff Sobotka, MBA, CPHIT, CHP heads the HIT consulting practice of The Sobotka Group.

Susan Schulte is the Medical Solutions Specialist for Center for Computer Resources, a leading Managed service Provider for the state of Michigan.

Carolyn Hartley is President, CEO of Physicians EHR, and assists health care providers with MU and OCR audit defense.