How do Meaningful Use requirements overlap with HIPAA compliance requirements?

Tod Ferran, Security Analyst, CISSP, QSA
By: Tod Ferran
Can you tell the difference between HIPAA and Meaningful Use regulations? You’re not the only one struggling with the answer to this question. Many healthcare professionals don’t completely understand how the specific requirements of HIPAA and Meaningful Use relate. For example, did you know that your HIPAA risk analysis may cover your Meaningful Use risk analysis, but not the other way around? I promise to try and resolve your questions about the relationship between Meaningful Use and HIPAA in this blog post.

If you’d like a more comprehensive dive into the relationship between Meaningful Use and HIPAA, watch this recorded presentation.



Let me quickly answer some common questions healthcare providers have about Meaningful Use and HIPAA.

First, let’s talk about Meaningful Use attestation vs. HIPAA compliance:

Will Meaningful Use attestation count for HIPAA compliance? NO.
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with the entire patient data process. There are many additional aspects required for full HIPAA compliance, and as a note, using a cloud-based EHR does not absolve you of HIPAA requirements.

Will HIPAA compliance count for Meaningful Use attestation? NO.
Both HIPAA and Meaningful Use are concerned with identifying potential security risks. Both require a risk analysis. But the similarities end there. In reality, the overlap between the two is pretty small.

Now let’s talk about your risk analysis:

Will my HIPAA risk analysis cover my Meaningful Use risk analysis? YES.

As long as you’ve done a ‘complete and thorough’ job on your HIPAA risk analysis, it should cover your Meaningful Use risk analysis. If your HIPAA risk analysis is not complete and thorough, not only will it fail your Meaningful Use risk analysis, but will also not be an acceptable HIPAA risk analysis. It’s nearly impossible to perform a proper ‘complete and thorough’ HIPAA risk analysis without some outside security assistance.

Will my Meaningful Use risk analysis cover my HIPAA risk analysis? NO.
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with your entire patient data process. A Meaningful Use risk analysis would only cover a very small part of a HIPAA risk analysis. We’ll discuss this in more detail later.

SEE ALSO: The Most Common Questions About HIPAA, Answered

Similarities between HIPAA and Meaningful Use

Both HIPAA and Meaningful Use require you to correct security problems as part of your risk management process. Both also require a risk analysis and Risk Management Plan. A risk analysis helps you measure, rank, and prioritize risks to your protected health information (PHI), while a Risk Management Plan works through the issues discovered in the risk analysis, and documents that you acknowledge and are working to correct those risks.

Need help with your risk analysis or risk management plan?

When the HHS comes in to do a HIPAA audit or investigation, if you have completed a risk analysis and show demonstrable progress on your Risk Management Plan, they go a lot easier on you.

SEE ALSO: What to Expect with Upcoming HHS Audits

Differences between HIPAA and Meaningful Use

A Meaningful Use risk analysis is:
  • Only concerned with risk of your EHR
  • Only required for those participating in Meaningful Use
  • Only updated twice (Stage 1 and Stage 2 reporting, so far)
A HIPAA risk analysis is:
  • Concerned with the risks of the entire PHI environment (that means the EHR, email encryption, electronic records, paper records, Internet, business associates, servers, workstations, physical security, intake procedures, etc.)
  • Required of all covered entities and business associates
  • Reviewed and updated on a periodic basis (typically annually)

Synopsis

Meaningful Use and HIPAA are distinctly separate requirements that aren’t that similar after all.
Not only is HIPAA compliance required, but it is also considered security best practice throughout the healthcare industry. If you already have a HIPAA compliance program, congratulations! Your risk analysis (if completed) may be a core requirement of Meaningful Use! If you haven’t started on HIPAA compliance yet, this is a great time to start a HIPAA program and kill two birds with one stone!

Want help starting your HIPAA program?

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.