DEPARTMENTS: Practice Points
In my previous column, Meaningful Use Audit Checklist, we discussed the resources necessary for a successful attestation process. Although the column offers important information to support the Meaningful Use Audit Process, it is also a reminder that the documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for 6 years after attestation.
One of the target objectives included in the audit process is Protecting Electronic Health Information. The audit validation for Protecting Electronic Health Information should support that a security risk analysis of the certified electronic health record technology was performed prior to the end of the reporting period. Your supporting documentation should include a report that documents the procedures performed during the analysis and the results. Reports should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system. The information shared below is excerpted from the Centers for Medicare & Medicaid Services’ Security Risk Analysis Tipsheet: Protecting Patients’ Health Information.1 Additional information to support this work can be found within the Guide to Privacy and Security of Health Information.2
The following Table illustrates examples of safeguards and processes you might incorporate to mitigate security risks to your practice. These are only examples and should not be used as a comprehensive guide for mitigating security risks. You should integrate reasonable and appropriate administrative, physical, and technical safeguards that are tailored to the size and complexity of your practice.