Using Certified HIPAA Software for Security Risk Assessments

By | February 17, 2014

In order for eligible professionals and hospitals to be considered for EHR incentive funds they must adopt technology that meets requirements set forth by the U.S. Department of Health and Human Services (HHS). A large proportion of the functional capacity of software packages necessary for certification is related to the ability to identify and mitigate current risks as well as the ability to predict potential future risks.

While HHS permits the use of different modules or components from different vendors provided each system drawn from is certified, most experts believe that it is better to utilize a single, comprehensive certified software package. It is not enough for ensure selected technology is capable of handling the numerous HIPAA security requirements. It is also crucial that all key personnel are able to demonstrate the ability to use the system to complete tasks, which show prowess in managing the risk assessment, and remediation process as specified during an audit.

The software package you select to adopt should not just be chosen because it is accepted as the most sophisticated system on the market. A software solution that can maintain HIPAA compliance, demonstrate Meaningful Use, and even satisfy Omnibus will be your most effective solution. If key personnel can’t determine how to use it, or do not use it on a regular basis, not even the most advanced software program will save your organization from huge fines. Sometimes organizations provide necessary training regarding risk analysis when a new software system is put in place.

All key personnel must not only understand HIPAA/HITECH security obligations in regard to EHR’s but must be capable of carrying out and explaining data related tasks appropriate to their role. This will make regularly scheduled risk assessments less of a burden to all involved. Informing personnel across the organization about risks and vulnerabilities identified along with timely updates on changes to HIPAA requirements will help all concerned determine anything that may be lacking in the current security plan.

The Office of the National Coordinator for Health IT maintains a webpage listing certified software programs approved for creation and use of EHR’s. It doesn’t take long to check a system against this list before purchasing it and this can prevent major headaches down the road.