EHR Security Risk Assessment Guide

EHR assessments, audits and risk assessments are vital for a few reasons.

The first reason is to ensure healthcare organizations maintain compliance with meaningful use guidelines.

For the uninitiated, meaningful use refers to minimum US government standards for electronic health records. These standards explain how all stakeholders in the healthcare chain, such as providers and insurance companies, should share patient data.

The primary intent of meaningful use is to boost collaboration and data exchange as well as support the development of robust systems.

Organizations that meet meaningful use guidelines can qualify for incentive payments under the Medicare EHR Incentive Program — designed to spur the transition to EHR by reimbursing some of the costs required.

However, healthcare organizations might be audited to ensure that they’ve met meaningful use guidelines. About a quarter of all audited organizations claiming incentive payments have failed their audit, mainly because they didn’t follow the guidelines to the spirit.

Another reason to conduct an EHR audit and risk assessment is to guard against data breaches and theft. The cost of a successful breach is estimated to be about $383 per record — this adds up to an astronomical amount when you consider that healthcare providers typically store thousands of patient records.


Further Reading

EHR Risk Management and Assessment Guide

If you’re claiming an EHR incentive payment under the meaningful use guidelines, then it’s possible that federal regulators may ask for proof of documentation to support your claim.

You must keep all supporting documents on file for a minimum of six years post-attestation. Here’s a checklist of things you may require to ensure you pass a meaningful use audit:

How to Conduct an EHR Security Risk Analysis

1. Nominate a Focal Person

Before you begin with your EHR audit documentation, it’s crucial that there be a single point of contact for all audit-related requests. That’s because you don’t want key information spilling through the cracks or miss deadlines because of a process issue.

2. Meaningful Use Registration

Once you sign up with the EHR Incentive Programs website, you should receive an email confirmation. Some providers might also get a physical letter in the mail. Be sure to hold on to this.

3. Final Cost Report

This report — filed under Form CMS-2552-10 — is a comprehensive overview of the costs incurred in transitioning to EHR reporting and forms the foundation of your meaningful use incentive payment.

final cost report

4. Certified EHR Technology (CEHRT)

Meaningful use incentive payments are only applicable for those healthcare providers that have signed up with an EHR vendor. As such, you must provide a signed vendor contract or service agreement as well as other supporting documentation — a vendor letter, for example.

5. CMS EHR Certification ID

You will find this number on the Office of the National Coordinator for Health Information Technology’s Certified Health IT Product List.

6. CEHRT Purchase Costs

Your EHR plan might involve a combination of a fixed one-time payment as well as ongoing maintenance and support. It’s important that you keep a record of all these payments.

7. Other Administrative Evidence

As a general rule of thumb, you should retain whatever documentary evidence you can to support your EHR audit claim. For example, you might want to maintain documentation that shows the percentage of patient encounters captured in the CEHRT as well as other files that testify compliance with HIPAA privacy and security rules.

Risk Assessment EHR Implementation

Another reason for an EHR audit and security risk assessment, as outlined at the start of this article, is to ensure data integrity and patient privacy. If your EHR system fails to achieve this, you might fall afoul of HIPAA guidelines and attract heavy penalties in the process.


Worried that Your Patient Data Might Be Exposed?

Get a confidential data security check-up from True North

[Request a Check-Up]


Here are three ways you can strive for robust data safeguards:

1. Regulate the Use of Mobile Devices

EHR systems are mostly cloud-based, which means they facilitate remote access and communication. This reality means employees tend to use personal devices such as laptops and mobile phones to access critical information.

For example, if employees access this data over an unsecured connection, such as a public WiFi network, then you run the risk of data pilferage and hacking.

All staff members authorized to view patient records must be trained to exercise caution and keep personal devices updated.

2. Prevent Staff Oversight

Security breaches are, more often than not, the result of preventable staff negligence.

If users forget to log out of the EHR system, for example, it creates an opportunity for unauthorized individuals to view patient-specific data. You must address this matter through internal security training.

Other possible ways of compromising patient data are if a staff member shares their login details or creates copies of sensitive information without a specific need for it.

3. Implement Security Safeguards

Your EHR systems must have access control levels firmly in place.

In other words, you must restrict this data to a need-to-know-only basis. A doctor looking to give a correct diagnosis can look at the data, but a billing assistant who only needs the patient’s home address, shouldn’t be allowed to scan all information willy-nilly.

Other safeguards include frequent system scans for data corruption and to detect the presence of viruses and malware.


When was the Last Time You Audited your EHR?

We’ll audit your EHR, fix every bug, secure your patient data, and cut your load times in half.

[Learn More]


Join Our Newsletter & Learn

Get our latest content delivered to your inbox.

Speak to an IT Expert

Book a Complimentary 30 Minute Consultation