Meaningful Use Security Risk Analysis: 6 Areas to Review

June 18, 2014
Avery Hurt

The Stage 2 rules of meaningful use call for a security risk analysis of your practice. Here are some common sources of data loss to examine.

Here are some common sources of data loss to examine. CMS has made it very clear that the onus for protecting the confidentiality of patient data is not on EHR vendors, but squarely on physicians and their practices. Fortunately, a great deal of that responsibility calls for old-fashioned common sense.

In addition to reviewing your HIPAA compliance documents and making sure that you are abiding by any state-specific privacy regulations (which you did when attesting to the Stage 1 rules of meaningful use), Stage 2 requires that you conduct a security risk analysis of your practice. The obvious first step is to make any necessary upgrades to your software. After that, you'll need to take a look at the many other ways patient privacy can be breached. Take a tour of your practice looking for places- both high- and low-tech - where patient data might leak.

Here are some common sources of data loss:

• Portable devices. "One of the most common breaches of personal data occurs when a portable device - a laptop, smartphone, PDA - is lost and the data on it is not encrypted," said Daniel W. Berger, president and CEO of Redspin, a provider of security audits for hospitals and medical practices. Make sure that all patient data is encrypted no matter what kind of device it is on.

• Sightlines. Make sure that all workstations in the reception area are tilted so that they can't be seen by people standing in line.

• PC desktops. Make sure that employees lock the desktop on their computers when they leave their workstation. Even if there is no patient information on screen, a few clicks could reveal both sensitive information and possibly passwords or logins.

• Paper. Yes, even paper destined for the shredder. Bins with paper waiting to be shredded are another source of breached security. Either shred it immediately, or place it in a covered container.

• Fax machines. Another common security breach occurs when patient data is faxed to the wrong number," Berger said. It is also easy to send e-mail to the wrong recipient. "It can take only one keystroke to send private information to the wrong place," adds Berger. Slow down and pay attention when sending patient information.

• Children. No they aren't likely to hack your systems, but keeping their data private can be trickier than with adults. "State regulations vary about who can access the medical records of patients younger than 18 [years of age]," said Fletcher Lance, vice president and national healthcare leader at consulting firm North Highland. Here's a place where common sense may not be enough. Be sure you know both federal and your state's rules on this.

In addition to meeting meaningful use and HIPAA requirements, being vigilant about protecting the privacy of your patients is just good medical practice. "Violating a patient's privacy is the surest way to lose that patient's trust," said Berger.