HIPAA HITECH MobileThe Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provide financial incentives for the "meaningful use" of certified EHR systems and technologies to achieve health and efficiency goals.

Nowadays, hospitals are scrambling to comply with the “meaningful use” requirements through the implementation of EHR systems and certified EHR technologies. These new EHR systems will reduce errors and increase the availability of records and data. They will also provide the functionality of reminders and alerts, clinical decision support, and e-prescribing/refill automation.

The American Recovery and Reinvestment Act of 2009 allows hospitals to qualify for incentive payments; if, the following requirements are met:

Medicare EHR Incentive Program – demonstrate “meaningful use” of certified electronic health record technology every year of participation.

Medicaid EHR Incentive Program – adopt, implement, upgrade or demonstrate “meaningful use” in both the first year and all subsequent years of participation.

At Turner and Associates, Inc., we see the biggest pitfall most hospitals are currently having is with Measure 14 of the “Meaningful Use Core Measures”. Measure 14 mandates that hospitals conduct a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates as necessary, and correct security deficiencies identified as part of its risk management process. Most hospitals’ IT staff members do not have the expertise or tools needed to accurately perform a Measure 14 Risk Analysis.

Completing a Risk Analysis is the first step in hospital’s ‘Security Rule’ compliance efforts. A Risk Analysis is also an ongoing process that should provide hospitals with a detailed understanding of the risks to the confidentiality, integrity, and availability of EHRs.

At Turner and Associates, Inc., we are experts in assisting hospitals with Measure 14. We use the following two phased approach to ensure hospitals are compliant with Measure 14 (Risk Analysis):


1)Electronic Personal Health Information ePHI Discovery – We identify all network devices where rogue ePHI is being stored. The discovery phase will be broken down into the following sub-phases:

     I. Network Diagram Review – We will review the hospital’s entire network diagram with IT staff members to determine where all ePHI should be located throughout the entire network. Devices where known ePHI is being stored securely and in accordance to the hospital’s formal polices will not be included in this phase of the engagement.

     II. Target Enumeration – We will sweep the entire network to locate, identify, and document each of the remaining network devices (workstations, servers, etc.) within the scope of our engagement.

   III. Remote Credentialed Scanning – We will perform a remote credentialed scan against every target identified in our ‘Target Enumeration’ phase. Our scan will be configured to locate multiple types of personally identifiable information (PII) and electronic personal health information (ePHI).

     IV. Reporting – We will provide a detailed report that identifies all network devices in scope along with file locations within each device where ePHI is being stored.


2)Security Risk Analysis – Examine the potential risks and vulnerabilities to the confidentiality, availability, and integrity of the hospital’s EHR systems that create, receive, maintain, or transmit ePHI. Our examination will be completed through a combination of interviews, review of policies, procedures, and other related documentation, and physical observations while onsite.

Thereafter, we will develop a Risk-based Matrix to show compliance with the “meaningful use” requirements identified in Measure 14 and recommend practical cost-effective solutions to any identified gaps.