Objective:
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Clinical Importance
Maintaining the confidence of the personal health information of patients is an old and sacred responsibility for clinicians. One concern many practices have with implementing EHRs is the ability to provide the right amount of security for their patients records. Applying safeguards found in The HIPAA Privacy Rule can assist in avoiding common security gaps that lead to cyber attack or data loss which can help protect the people, information, technology, and practices.
CMS Resources
The following resources are available to help you meet the Protect Electronic Health Information meaningful use core measure:
Lessons from the Field
“In assisting rural clinics to meet meaningful use stage one requirements, we have realized several challenges associated with identifying and resolving privacy and security lapses. Utilizing existing tools is tremendously helpful in overcoming these challenges.”
— Jason Felts, Health IT Practice Advisor, Oklahoma Foundation for Medical Quality
A key to identifying outlying privacy and security risks is to utilize existing tools, such as the ONC Security Risk Assessment, in the analysis of a practice. An all-inclusive tool is essential for ensuring all areas of privacy and security are appropriately assessed. Once risks are identified, we recommend the use of sample policies and procedures that can be adjusted to fit the needs of each practice and assist in meeting the meaningful use requirement of protecting electronic health information.
“Many practices are unaware of the risks to electronic personal health information in an EHR environment. Utilizing tools that allow practices to identify risks in their environment and bring awareness to mitigation strategies is not only necessary for Meaningful Use, but also vital in safeguarding electronic health information.”
— Nicholas Heesters, Privacy and Security Specialist,
Smaller practices have been very receptive to assistance with risk analysis of privacy and security. By using the ONC Security Risk Assessment, a practice can be guided through the tool to identify risks that exist and develop an action plan with risk mitigation strategies. After risks are identified, it is important to include a follow-up assessment to adjust and update the tool to reflect any progress or action taken. The use of the risk assessment tool coupled with industry best practices allows providers to identify where improvements are needed during the initial assessment and have a process in place that will allow for continued monitoring of risks.