All Eligible Professionals will be required to respond to this Stage 3 Meaningful Use Objective – Protect Patient Health Information.
Objective: Protect electronic protected health information (ePHI) created or maintained by the certified electronic health record technology (CEHRT) through the implementation of appropriate technical, administrative, and physical safeguards.
Measure: Annually Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process. This must be completed for each program year (between January 1 and December 31).
Exclusion: No Exclusion is allowed for this Stage 3 objective
Attestation Requirement: Yes/No Response
Required Supporting Document: SRA Tool Summary Report from Office of National Coordinator (ONC) or equivalent.
EPs must use 2015 Edition CEHRT to meet Stage 3 meaningful use.
EPs must conduct or review a security risk analysis of CEHRT, including addressing encryption/security of data, implement updates as necessary at least once each calendar year, and attest to conducting the analysis or review.
It is acceptable for the security risk analysis to be conducted outside the EHR reporting period; however, the analysis must be unique for each EHR reporting period, the scope must include the full EHR reporting period, and it must be conducted within the calendar year of the EHR reporting period.
An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each EHR reporting period. Any security updates and deficiencies that are identified should be included in the EP’s risk management process and implemented or corrected as dictated by that process.
The security risk analysis requirement under 45 CFR 164.308(a)(1) must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
At minimum, EPs should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
The parameters of the security risk analysis are defined 45 CFR 164.308(a)(1), which was created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The PI Program does not impose new or expanded requirements on the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in certification of EHR technology. More information on the HIPAA Security Rule can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the HIPAA Security Rule: http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
The Office of the National Coordinator for Health Information Technology (ONC) and OCR developed a free Security Risk Assessment (SRA) Tool to assist EPs: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.
This particular objective will require a Yes/No response in the State Level Registry.
Supporting Documentation to be uploaded during attestation: The SRA Summary Report (please see the sample checklist above for additional information). During the pre-payment verification process, we will look for a completed analysis (meaning, that every question was answered Yes/No and that comments were included as part of the response). We will also verify the completion date (prior to December 31st) for that calendar year.
Security Risk Assessment Videos
How Can I Learn More Before Getting Started?
For more information on what a risk assessment may involve, please view the following resources:
Security 101: Security Risk Analysis – Risk Assessment
Security 101: Contingency Planning
To learn how to use the SRA Tool, view our Tutorial video, which shows the basics of using and navigating the tool.
What is Risk Assessment?
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Visit the Office for Civil Rights’ – Privacy and Security for additional information.