As part of the HIPAA Security Rule, a risk analysis is required. The Office for Civil Rights (OCR) is responsible for issuing guidance on the "most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI)." Set forth in 45 C.F.R. § 164.308(a)(1)(ii)(A), the risk analysis forms the foundation of an organization’s ability to comply with and implement the requisite standards. This required analysis, which should be conducted both internally and with external contracting entities, mandates that organizations, "[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is significant for multiple reasons; however, failing to fully vette a vendor may have significant financial consequences.
For example, on April 25, 2013, HHS announced that the certification for two EHR products had been revoked. "EHRMagic-Ambulatory and EHRMagic-Inpatient, both developed by EHRMagic Inc. of Santa Fe Springs, Calif., no longer meet the EHR certification requirements. The EHRs must be certified by a certification body (ACB) authorized by the Office of the National Coordinator for Health IT (ONC) before regaining certification." HHS further explained:
Both ONC and an ONC ACB, InfoGard Laboratories Inc. (InfoGard), received notifications that the EHRMagic products did not meet the required functionality and the products should not have passed certification. InfoGard analyzed the additional information from the notification and contacted EHRMagic, launching the ONC authorized certification body required surveillance activities. InfoGard concluded that it was necessary for the EHR products to be retested for select requirements. EHRMagic, Inc. participated in retesting and failed.
The ONC was formed to promulgate a defined process upon to "ensure that EHR technologies meet the adopted standards and certification criteria to help providers and hospitals achieve meaningful use objectives and measures established by the CMS." Certified EHR technology is a prerequisite for receiving payments under the Medicare and Medicaid EHR Incentive Programs. In turn, non-compliance can adversely impact an organizations bottom line, as well as potentially precluding them from participating in Medicare and Medicaid.
Therefore, by conducting a risk analysis on a regular basis, organizations not only mitigate the risks of non-compliance with HIPAA, but also provide protections to their patients’ protected health information.