In a discussion last week I realized I had not written a blog article on this topic. We talk with people about it all the time but somehow it flew under the radar of this blog. Until now, that is.

If you have received your EHR Incentive Payments for Meaningful Use Stage 1 then you had to attest to the core measure “Protect Electronic Health Information“.  In current lists it is Core Measure 14.  Previously, it was 15.

The measure clearly references the HIPAA Risk Analysis requirement 45 CFR 164.308(a)(1). I have discussed requirements of a proper Risk Analysis before in this blog. The first requirement listed in the Security Rule is to perform a detailed Security Risk Analysis. It is also the number one thing OCR has determined is NOT being done by Covered Entities. Based on findings in the pilot audit program as well as the resolutions they have reached after investigations OCR staff continues to encourage entities to perform a proper RA as soon as possible.

If you have your money then you have attested that you have performed the Risk Analysis in the past year. However, current information shows most providers, particularly smaller ones, have not performed a recent Risk Analysis, if ever.

So, either you attested Yes to something you haven’t done OR you are beating the odds and have your recent Risk Analysis in hand.  Which one is it?

Filed under: HIPAA