Meaningful Use Risk Analysis Scope

RA-Toolkit-v1Identifying the scope for Meaningful Use security risk analysis starts with understanding the flow of your electronic Protected Health Information.  According to HHS guidelines, the following personal information (18 identifiers), when combined with clinical data, becomes Protected Health Information (PHI), which is the scope of security risk analysis:


Identifiers Examples
Name Max Bialystock
Address 1355 Seasonal Lane (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
Telephone numbers 212 555 1234, home, office, mobile etc.,
Fax number 212 555 1234
Email address, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices/RFID
Internet Protocol (IP) address numbers
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely identify the individual Social media username, etc.

It’s critical to understand the definition of PHI before you continue with any part of meaningful use security risk analysis. Keep in mind when PHI is de-identified using some of the techniques described here by HHS, it’s considered out-of-scope for risk analysis.

Though the primary focus of MU SRA is to include only the EHR system, we recommend including all key networking components and patient data management interfaces/applications as part of this exercise; it provides an opportunity to conduct end-to-end review and assessment of the gaps.

Identify and categorize all your practice processes, systems, and technology. We recommend a simple ePHI inventory template for meaningful use security risk analysis  this exercise, which needs to be kept up-to-date based on  changes to your technology infrastructure. In lot of practices, apart from the core EHR system, billing and scheduling systems are used for better efficiency. During your MU SRA, ensure you cover all interfaces you have developed to keep the data in sync between  different systems, in terms of the risks exposed to ePHI.

Primarily, the following key systems are covered as part of MU SRA:

  • EHR system
  • Network (Routers, Wireless Access Points, Firewall, etc.)
  • Desktops
  • Mobile/laptop/tablets
  • Interfaces
  • Copiers/printers
  • Patient Portal(If any)

To learn more about EHR 2.0’s toolkit for Meaningful Use Risk Analysis click on the link below:

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Latest posts by EHR 2.0 (see all)