Meeting the Meaningful Use Security and Privacy Measure
Meeting the MU Security Measure a risk analysis Complete a risk management assessment Implement an Employee Training Program and Employee Sanction Policy Preform a system security review
Why? Ensuring privacy and security of electronic health information is: Required by HIPPA Meaningful Use requirement. Good Practice
Why? The Meaningful Use objective is: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities The specific Meaningful Use measure is: Conduct or review a security risk analysis and implement a risk management assessment security updates as necessary and correct identified security deficiencies as part of its risk management process. There are no exclusions to this measure. Everyone must conduct a review. The ONC has published a resource, http://www.healthit.gov/sites/default/files/small-practice-security-guide-1.pdf, which can be helpful, a guide for small practices.
What does my ecw assure Tools Available in System to assure Access control Emergency access Automatic log-off Audit log Integrity Authentication General encryption Encryption when exchanging electronic health information
Action Items!! Risk Analysis Risk Management Plan Training and Sanction Policy Periodic Activity Review
Risk Analysis Conduct an accurate and thorough assessment of the potential risks and the vulnerabilities to the confidentiality, integrity and availability of electronic protected heath information held by the practice
Risk Analysis Confidentiality electronic health information is not made available or disclosed to unauthorized persons or processes. Integrity electronic health information has not been altered, compromised or destroyed in an unauthorized manner. Availability electronic health information is accessible and useable upon demand by an authorized person.
Risk Analysis Preform the risk analysis (Sample Provided) Print out your risk analysis Insert comments Initial and sign Keep as a reference
Risk Management Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
Risk Management Ensure the confidentiality, integrity, and availability of all electronic protected health information. Protect against any reasonable anticipated threats or hazards to the security or integrity of such information. Protect against any reasonable or anticipated uses or disclosure of such protected health information Ensure Compliance.
Risk Management Print out check list Review and Answer Checklist Comment, Initial and Sign Keep for reference
Training and Sanctions Assure your privacy and security guidelines are followed Train all employees on Privacy and Security Tools available on CIQN Website Keep documentation of Training Develop employee sanctions for violating security and privacy.
CIQN Website 14
Information system activity review Complete a review and audit log indicating who had access to your EHR. Document any findings Use a log to document
Audits Logs Passwords allow you to restrict access to the minimum level user needs Allow for auditing of the system to verify its being used appropriatly 16
Audits Show Who is using the system For what purpose What time of day the system is being accessed Regular Audits Ensures security and privacy of the EHR Discourages unauthorized use Identifies Inappropriate use 17
Viewing the User Log Logs of all the log in and log out activity can be viewed by date by system administrators. To view User Logs: 1. From the Admin band in the left Navigation Pane, click the User Logs icon. The User Logs window opens, displaying the User Logs for today s date. 2. To view the User Logs for a different date: a. Click the arrow next to the All Logs field. A popup calendar opens. b. Click the desired date. The popup calendar closes and the selected date is placed in the All Logs field. c. Click the Go button. The User Logs for the selected date displays. 18
Viewing User Logs 19
Audits Who will preform audits How often it will be completed What aspects of the system should be audited What will be done with the results of the audit 20