Protect Electronic Health Information Core Objective

EHR CMS logo

The following is email communication from CMS.

*The security risk analysis must be completed prior to attestation. Review FAQ #10754, and learn more about this meaningful use requirement below.

If you are a provider participating in the EHR Incentive Programs, conducting or reviewing a security risk analysis is required to meet Stage 1 and Stage 2 of meaningful use. This meaningful use objective complements, but does not impose new or expanded requirements on the HIPAA Security Rule.

How This Objective Improves Care
Security risk analysis doesn’t just help your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards; this ongoing process also helps reveal areas where your organization’s electronic protected health information (e-PHI) could be at risk. Meeting this objective can help you avoid and address common security gaps that lead to cyber-attack or data loss, which helps protect your practice, information, technology, and the people you serve.

New CMS Guidance for When to Complete a Security Risk Analysis
A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period. For more information, read the updated FAQ.

Please note:

  • Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
  • In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

Resources for Security Risk Analysis
To help providers understand what’s required to meet this core objective, CMS has a Security Risk Analysis Tipsheet available on the Educational Resources page that includes:

  • Steps for conducting a security risk analysis
  • How to create an action plan
  • Security areas to consider and potential courses of action
  • Myths and facts about conducting or reviewing a security risk analysis

This information is also available as an intermediate level resource on eHealth University.

Providers in small-to-medium sized offices may also use ONC’s Security Risk Assessment (SRA) tool to conduct risk assessments of their organizations. The tool also produces a report that can be provided to auditors. A User Guide and Tutorial video are available to help providers use the tool.

Want more information about the EHR Incentive Programs?
Make sure to visit the Medicare and Medicaid EHR Incentive Programs website for the latest news and updates on the EHR Incentive Programs.