Measure at a Glance
Type: task to be performed
Duration: completed prior to or during the EHR reporting period
Objective: Protect electronic information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion: No exclusion.
There are no changes to this objective and measure regardless of when EPs attest to Stage 1 Meaningful Use.
The measure requires conducting a security analysis and correcting security deficiencies as part of a risk management process. Mitigation of all risks is not required, as some issues may be deemed low-risk in the management process. The key is performing a security analysis and establishing a risk management process.
The legislation governing this program did not create any new privacy laws. HIPAA applies as always.
The attestation portal will require the EP to choose yes or no to having conducted or reviewed a security risk analysis as specified.
Relevant CMS FAQs
The CMS FAQ directs readers to Health and Human Services’ Office of Civil Rights for health information privacy resources.
CMS' Final Rule
§ 495.6(d)(14) see objective and measure above
45 CFR 164.308(a)(1) Administrative safeguards referenced in measure
§ 170.210 Standards for health information technology to protect electronic health
information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged: