HITECH’s Meaningful Use and Compliance
There’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.

For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve. For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use� of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.

The Importance of Completing a Security Risk Analysis
According to Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it (Healthcare Information Society, February 9, 2010). She further stated, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking that just came out on December 30, 2009.

HIPAA Audit Preparedness
In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:

• Establishing user access for new and existing employees
• List of secure authentication methods for users authorized to access EPHI
• Monitoring systems use – authorized and unauthorized
• Granting, approving, and monitoring systems access (for example, by level, role, and job function)
• Termination of systems access

Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated.