Measure at a Glance
Type: task to be performed
Duration: completed prior to or during the EHR reporting period
Objective: Protect electronic information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion: No exclusion.
There are no changes to this objective and measure regardless of when EPs attest to Stage 1 Meaningful Use.
New CMS guidance for when to complete a Security Risk Analysis: A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.
For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period. For more information, read the updated FAQ.
The security risk analysis must be completed prior to attestation. Review FAQ #10754,
If you are a provider participating in the EHR Incentive Programs, conducting or reviewing a security risk analysis is required to meet Stage 1 and Stage 2 of meaningful use. This meaningful use objective complements, but does not impose new or expanded requirements on the HIPAA Security Rule.
The attestation portal will require the EP to choose yes or no to having conducted or reviewed a security risk analysis as specified.
Relevant CMS FAQs
Additional security information can be found at Health and Human Services’ Office of Civil Rights for health information privacy resources.
CMS' Final Rule
§ 495.6(d)(14) see objective and measure above
45 CFR 164.308(a)(1) Administrative safeguards referenced in measure
Standards and Certification Final Rule
§ 170.210 Standards for health information technology to protect electronic health
information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged: