A Brief History of HIPAA, ARRA and "Meaningful Use"

Faith At Law, LLC

16 Willow Avenue
Towson, Maryland 21286
(410) 963-5269
e: Email Us

Existing Client Login
Secure Site Admin
Subscribe to Our Newsletter
Unsubscribe
Admin Section

Follow My Blog

Visit DirectLawConnect

Learn More About DR
DR Board Game Instructions
Download Table Top Exercise Materials

ArcSource Group
Balt Co Chamber of Commerce
Baltimore County Bar
Bar Assoc of Baltimore City
CMS Risk Assessment
Commercial Media
Community Health Integrated Partnership
Datapoint, Inc.
DirectLaw
DR and HIPAA Presentation
Facebook
Google Case Research
HIPAA Information
HIPAA Regulations
Learn More About DR
Legal IT Professionals
LinkedIn
Md. SDAT Home Page
Md. Tax Filings
MSBA
NIST Publications
Practice Notes
Second Life
System Source, Inc.
Tech Tips for Solo Attorneys
Turtle Wings
Twitter
VMWare
Youtube

A brief history lesson:

In 1996, HIPAA empowered the Secretary of Health and Human Services (HHS) to issue regulations that would address the privacy and security of health data.
In 1998, HHS issued its first draft of the regulations implementing administrative, technical and physical safeguard requirements for electronic protected health information.
In 2003, HHS issued its final security regulations, which gave about two years for covered entities to come into compliance.
In 2005, HHS promulgated enforcement regulations, giving CMS authority to audit covered entities for security regulations compliance.
In 2009, ARRA expanded applicability of the security regulations to business associates of covered entities.
At the end of 2009, HHS issued draft regulations to define “meaningful use” within the context of ARRA. Among the proposed requirements for Stage 1 of meaningful use is compliance with the security regulations, specifically performing a risk assessment as required within section 164.308(a)(1) of the security regulations, and implement appropriate mitigations. This requirement under meaningful use is in the draft regulations at section 495.6(c)(17).
Starting in 2011, providers become eligible for receiving incentive payments under the Medicare or Medicaid program for those that can demonstrate Stage 1 “meaningful use” of a certified electronic health records system.

HHS is then supposed to issue regulations that define Stage 2 and Stage 3 “meaningful use,” beyond the basics (and likely in addition to) the final requirements for Stage 1 compliance. Providers will need to be able to demonstrate compliance with these additional requirements to receive further incentive payments under ARRA.

So, providers were supposed to be able to produce risk assessments for their information systems starting no later than 2005, and if audited, a failure to perform regulary and document risk assessments could result in fines (which also were raised by ARRA in 2009). By 2011, (assuming that this requirement survives to the final “meaningful use” regulation), providers will need to perform and demonstrate compliance with the risk assessment requirement in the HIPAA security regulation in order to receive incentive payments for EHR adoption and use.

“Risk Assessment”

The HIPAA security regulations provide two implementation requirements for risk assessments:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

§ 164.308(a)(1)(ii).

If you want to learn more about how to perform a risk assessment of your systems, check out a prior newsletter (volume 1, issue 5) here.