Scottsdale, AZ (PRWEB) March 9, 2010
Under the American Recovery and Reinvestment Act (ARRA) hospitals and physicians can receive $19 billion in subsidies over five years for making “meaningful use” of certified Electronic Medical Record (EMR) systems. Under the Stage 1 draft guidelines published in the Federal Register on Jan 13, 2010, “meaningful use” involves 22 transactional standards and item 23, a security standard. Item 23 requires hospitals and Eligible Professionals must “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary.” Stage 3 compliance, required in 2015, is expected to require full compliance with the HIPAA Security Rule to continue to receive funds. Compliance with the transactional standards is available from a variety of EMR vendors. Few if any offer qualifying risk assessment services, much less full HIPAA Security Rule compliance.
To meet the item 23 meaningful use requirements, a consortium has been created that includes compliance consultant ACR 2 Solutions, SCAP scanning vendor Lumension and security consultant NWN. Together with their strategic partners ThreatGuard and Centurion Group, the consortium members provide hospitals and physicians with bundled services ranging from Stage 1 initial risk assessment to full HIPAA security rule compliance including real-time monitoring of business associate security and Unified Compliance Framework tracking of policies and procedures.
Compliance with 45 CFR part 164, the HIPAA Security Rule, is summarized in Special Publication 800-66 from the National Institute of Standards and Technology (NIST). Full compliance involves application of a variety of policies, procedures and safeguards, including vulnerability scanning using technology developed under Homeland Security sponsorship in the Security Content Automation Program (SCAP). ACR 2 risk assessment software, first publicly demonstrated at the 2007 CyberCrime conference in Kennesaw, GA, uses SCAP validated scan results to produce real-time risk monitoring.
Initial risk assessments, including SCAP scanning of selected workstations, can be completed in 3-4 hours at a cost of less than $2,000 per location. The risk assessment, combined with implementation of initial safeguards as recommended by the risk assessment Gap report, meets or exceeds the item 23 requirements for Stage 1 meaningful use. First year payments for EPs are $18,000 per physician, while first year payments for hospitals begin at $2,000,000.
A recent joint project in upstate New York utilized Lumension SCAP scanning and ACR risk assessment software to bring a group of four hospitals into item 23 meaningful use compliance. Jana Grose, CIO (Chief Information Officer) of Massena Memorial is the client-side project manager for the hospital group. She states “When I first saw this product, I instantly realized the potential this solution provided. This software tool gives me a total readout of what I need to do as a hospital CIO so that I may run my department more effectively and ultimately better serve the patients of the North Country,” Jana has over twenty years experience in Healthcare Information Technology and won Hospital and Health Network Magazine's “Most Wired” award in 2007. A similar project for Eligible Professionals is under review by the 160 members of the North Country Physicians Organization, PLLC under the direction of its administrator, Joel S. Duhl.
More information on the initial Stage 1 Meaningful Use item 23 package for hospitals is available on the ACR 2 Solutions website. A downloadable brochure and order form is available on the ACR 2 website or may be obtained by email to Sales(at)acr2solutions(dot)com.
About ACR 2 Solutions: The company specializes in the growing information security and compliance market, focusing on risk assessment and management for regulatory compliance with federal laws including GLBA, HIPAA, FISMA and the payment card industry requirement of PCI DSS. ACR2 offers automated security risk assessment solutions helping companies meet federal compliance requirements for monitoring and reporting.