Guest Post: Meaningful Use and HIPAA

John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.

Do they go together like peanut butter and jelly?  Cookies and milk?

Nothing quite as good as these…but they do go together…now.

HIPAA has been around for some time.  Many argue that HIPAA has no “teeth”.  Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?

In steps Meaningful Use.

Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.

A risk analysis seem simple enough…right?

Dig a little deeper and you’ll see something a bit more unpleasant.  164.308(a)(1) requires the following:

  • Risk analysis – clear enough…
  • Risk management – with reference to 164.306(a) – Uh oh…
  • Sanction policy
  • Information System Activity Review

Whew…now it is starting to get ugly.  Where shall we start?

As usual, I like to go from easiest to most difficult.

The easiest thing to tackle here is the Information System Activity Review.

This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.

In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.

By this I mean:

  • Each user must have their own login,
  • Each user must only have access to the areas of the EHR that are appropriate for their position,
    • By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.

Next time we’ll attack the Sanction Policy.

John Brewer is the founder of  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Interesting, thank you for posting. I can’t get this “self certification” thing out of my head, so who is supposed to do these reviews? The term “Information System Architecture Review” makes even my head spin, does that mean I have to have “faith” in what my EMR vendor tells me?

  • Mark,
    I’ll invite John Brewer to comment as well. Pretty much all of HIPAA is self-certification. So, that’s not really anything new.

    I don’t think you have to have complete faith in what your EMR vendor tells you. You can run their audit reports and see if it’s tracking all of the activity that’s being done on the system. I did this with my EMR vendor. I performed a bunch of tasks and then checked on the audit reports to see if it tracked all of the things that I’d done. Turns out they didn’t track a few of the things that I thought they should track. So, I requested that they add in those things to the audit logs.

  • @Mark, the “other” John here.

    Spinning head is actually what HIPAA means in Latin.

    Ok, maybe not, but your response is very normal.

    The challenge HIPAA creates is exponential in that it requires one to have be able to interpret federal-regulation-speak AND have an solid understanding of technology.

    First, to clarify, MU ends up requiring an “Information System Activity Review”. This is quite different than an architecture review. This activity review should a standard report in a CCHIT MU certified EHR, hence it should’t be a big deal.

    The faith you must have in your vendor will be variable.

    As one with high expectations, I tend to be disappointed with what most EHR vendors offer in their system when it comes to reporting, etc.

    Hence, I feel an EHR vendor should have a report that will show the activity of each user within the system over a give period. Many EHRs have this, but I’m sure all don’t.

    In order for a report like this to be of value, though, you have to ensure you (your staff) are using the system as intended.

    Refer to the last portion of my post to see what I mean.

    If you still have butterflies in your stomach, feel free to contact me and I’ll see what I can do to help.

  • Thank you for this blog and all the good information you share which is very credible and practical. My question is, do you know of any EHR vendors (Certified) that have experience with Radiology practices? Thank you. Cathy

  • Cathy,
    Thanks for coming by and I’m glad to hear you like the blog and find it credible and practical. That’s our goal.

    How do you define experience with Radiology practices? Do you mean an EHR for a radiology practice or do you mean an EHR that interfaces with radiology?

Click here to post a comment