Skip to Content

Stage 1 Core Measure 15

Previous Measure


Measure at a Glance

Type: task to be performed

Denominator: none

Duration: completed prior to or during the EHR reporting period

Objective: Protect electronic information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion: No exclusion.
There are no changes to this objective and measure regardless of when EPs attest to Stage 1 Meaningful Use.

CMS Technical Specification

TennCare Notes
New CMS guidance for when to complete a Security Risk Analysis: A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period. For more information, read the updated FAQ.

The security risk analysis must be completed prior to attestation. Review FAQ #10754,

If you are a provider participating in the EHR Incentive Programs, conducting or reviewing a security risk analysis is required to meet Stage 1 and Stage 2 of meaningful use. This meaningful use objective complements, but does not impose new or expanded requirements on the HIPAA Security Rule.

The attestation portal will require the EP to choose yes or no to having conducted or reviewed a security risk analysis as specified.

Relevant CMS FAQs

  • 10092: finding answers to privacy and security questions regarding EHRs

Additional Resources

CMS Security Risk Analysis Tip Sheet

Security Risk Assessment Tool and Video

Security Standards for the Protection of Electronic Protected Health Information

Additional security information can be found at Health and Human Services’ Office of Civil Rights for health information privacy resources.

Federal Regulations Governing This Measure

CMS' Final Rule

§ 495.6(d)(14) see objective and measure above

45 CFR 164.308(a)(1) Administrative safeguards referenced in measure

Standards and Certification Final Rule

§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:

  1. Encryption and decryption of electronic health information
    1. General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2 (incorporated by reference in § 170.299).
    2. Exchange. Any encrypted and integrity protected link.
  2. Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.
  3. Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-3 (October, 2008)) must be used to verify that electronic health information has not been altered.
  4. Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.