Skip to Content

Stage 2 Core Measure 9

Next Measure Previous Measure


Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP's risk management process.
Exclusion: No exclusion.

CMS Specification Sheet

TennCare Notes
In Stage 2, EPs need to meet the same security risk  analysis requirements as Stage 1, but must also address the encryption/security of data at rest. See Core Measure 15 in Stage 1 Meaningful Use for Additional Resources.

The security risk analysis must be completed prior to attestation. Review FAQ #10754,

The attestation portal will require the EP to choose yes or no to having conducted or reviewed a security risk analysis as specified.

Federal Regulations Governing This Measure

CMS' Final Rule

§495.6(j)(16)(i) see objective, measure and exclusion above

Standards and Certification Final Rule

§ 170.314(d)(4) Amendments. Enable a user to electronically select the record affected by a patient’s request for amendment and perform the capabilities specified in paragraphs (d)(4)(i) or (ii) of this section.
    (i) Accepted amendment - For an accepted amendment, append the amendment to the affected record or include a link that indicates the amendment’s location.
    (ii) (ii) Denied amendment - For a denied amendment, at a minimum, append the request and denial of the request to the affected record or include a link that indicat§ 170.314(d)(3) Audit reports(s). Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards at § 170.210(e).

§ 170.314(d)(7) End-user device encryption.  Paragraph (d)(7)(i) or (ii) of this section must be met to satisfy this certification criterion.
(i) EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of es this information’s location.

§ 170.314(d)(2) Auditable events and tamper-resistance.
(i) Record actions. EHR technology must be able to:
(A) Record actions related to electronic health information in accordance with the standard
specified in § 170.210(e)(1);