Stage 3 Medicaid tip sheet for protecting patient health information.

Medicaid Tip Sheet

Conducting or reviewing a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Medicaid eligible professionals must conduct or review a security risk analysis for each EHR reporting period to ensure the privacy and security of their patients’ protected health information.

Objective – Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Measure – Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process.

Description of HIPAA Requirement – Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)).

Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted. It is acceptable for the security risk analysis to be conducted outside the EHR reporting period; however, the analysis must be conducted for the certified EHR technology used during the EHR reporting period and the analysis or review must be conducted on an annual basis prior to the date of attestation. In other words, the provider must conduct a unique analysis or review applicable for the EHR reporting period and the scope of the analysis or review must include the full EHR reporting period. Any security updates and deficiencies that are identified in the review should be included in the provider’s risk management process and implemented or corrected as dictated by that process. This tip sheet1 provides an overview of the security risk analysis requirement. Meaningful use does not impose new or expanded requirements on the HIPAA Security Rule, nor does it require specific use of every certification and standard that is included in certification of EHR technology. You can also find additional information and resources to assist you in learning more about the HIPAA Security Rule through the U.S. Department of Health 1 Content adapted from the HHS Office of the National Coordinator on Health Information Technology’s Guide to Privacy and Security of Health Information. 2 and Human Services (HHS) Office for Civil Rights.

Performing a Security Risk Analysis

Today many patients’ protected health information is stored electronically, so the risk of a breach of their ePHI, or electronic protected health information, is very real. To help you conduct a risk analysis that is right for your medical practice, Office of Civil Rights (OCR) has issued Guidance on Risk Analysis. There is no single method or “best practice” that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations as you conduct your risk analysis2 :

 Define the scope of the risk analysis and collect data regarding the ePHI pertinent to the defined scope.

 Identify potential threats and vulnerabilities to patient privacy and to the security of your practice’s ePHI.

 Assess the effectiveness of implemented security measures in protecting against the identified threats and vulnerabilities.

 Determine the likelihood a particular threat will occur and the impact such an occurrence would have to the confidentiality, integrity and availability of ePHI.

 Determine and assign risk levels based on the likelihood and impact of a threat occurrence.

 Prioritize the remediation or mitigation of identified risks based on the severity of their impact on your patients and practice.

 Document your risk analysis including information from the steps above as well as the risk analysis results.

 Review and update your risk analysis on a periodic basis.

Creating an Action Plan

Once you have completed these steps, create an action plan to implement appropriate security measures to safeguard the confidentiality, integrity and availability the ePHI and make your practice better at protecting patients’ health information.

Your action plan will involve a review of the risks to your practice’s ePHI identified in your risk analysis to correct any processes that make your patients’ information vulnerable. Make sure your analysis examines risks specific to your practice. For example, how do you store patient information—on an EHR system in your office, or on an Internet-based system? Each scenario carries different potential risks. Your risk analysis may also reveal that you need to update your system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiencies.

When creating your action plan, be sure to document the relevant information to ensure the plan is followed. This should include the steps your practice has decided to take to remediate or mitigate the identified risks, the individual responsible for implementing the required changes, and a target date identifying when it is expected the required changes will be implemented

Protecting Patients’ Electronic Information

Your security risk analysis will help you measure the impact of threats and vulnerabilities that pose a risk to the confidentiality, integrity and availability to your ePHI. Once you have completed the risk analysis of your practice’s facility and information technology, you will need to develop and implement safeguards to mitigate or lower the risks to your ePHI. For example, if you want to assure continuous access to patient information, you may need to add a power surge protection strip to prevent damage to sensitive equipment from electric power surges, put the computer server in a locked room, and become meticulous about performing information system backups.

The Security Rule requires that you put into place reasonable and appropriate administrative, physical and technical safeguards to protect your patients’ ePHI. The Security Rule allows you to tailor security policies, procedures, and technologies for safeguarding ePHI based on your medical practice’s size, complexity, and capabilities—as well as its technical, hardware, and software infrastructure.


Reprinted from CMS