Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events

More Than 60% of US Hospitals Ready to Meet Stage 2 Meaningful Use in 2014

According to the Institute for Operations Research and the Management Sciences (INFORMS), analytics is the scientific process of transforming data into insight for making informed decisions. The HIMSS Analytics Report released September 18, 2013 mentioned approximately 68% of hospitals who bought an EHR software through June of this year purchased from a certified vendor who “fit” the 2014 Edition certification criteria.  The report was made possible by the not for profit organization of the Healthcare Information and Management Systems Society (HIMSS).

Highlights of the report:

  • At least 60% of hospitals in the sample have met the requirements for at least nine of the core metrics that define Stage 2 Meaningful Use
  • 70 % of respondents across all metrics are actively moving toward , meeting Stage 2 ,Meaningful Use requirements
  • Suggests industry is moving towards Stage 2 Meaningful Use and hospitals will be ready to begin attesting in 2014
  • Research was based on 418 hospitals that provided the data from January- June of 2013

Meaningful Use and Risk Analysis

In order to qualify for Meaningful Use incentives CMS identified a core set of 14 Meaningful Use objectives in which eligible hospitals (EH) and 15 core Meaningful Use objectives in which eligible professionals (EP) need to focus to qualify for incentive funds provided through the new CMS Medicare and Medicaid incentive program. Additionally, EHs and EPs must also focus on five of 10 menu set objectives to quality for incentive funds.

An Eligible Hospital (EP) must attest to all 14 Core Measures of the Meaningful Use Stage 1 requirements in order to qualify for stimulus money. Core Measure #14 requires that organizations complete a series of activities, both initial and follow-on. It is important to note that there is no exclusion from Core Measure #14, that is, it is not an optional or excludable component of the attestation. Eligible professionals (EPs) must attest Yes to having conducted or reviewed a risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. It is worth noting that Stage 2’s requirements continue to reinforce the importance of Privacy and Security by requiring encryption. All providers must achieve meaningful use under the Stage 1 criteria before moving to Stage 2.

The area of risk analysis is one that organizations must ensure that they are taking into consideration. Without undergoing this process and then using the outcomes to change use of controls and modifications within policies and procedures, organizations will not qualify for the Meaningful Use incentives​.

Contact RISC Management and Consulting to learn more about our Meaningful Use services and Attestation:

For more details, visit the HIMSS Analytics page and download the entire report:

Click here for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs Stage 2 Toolkit:

Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Social Media

Small healthcare provider pays huge security fine after the theft of an unencrypted laptop

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

Mobile devices collage
The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.