One of the meaningful use core measures for eligible professionals, eligible hospitals and CAHs is to protect electronic health information. According to center for medicare and medicaid services following objective and measures need to be in place for “Protecting electronic health information” :
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion: No exclusion.
Definition of Terms
Appropriate Technical Capabilities – A technical capability would be appropriate if it protected the electronic health information created or maintained by the certified EHR technology. All of these capabilities could be part of the certified EHR technology or outside systems and programs that support the privacy and security of certified EHR technology.
YES / NO
Eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.
• EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.
• A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technology to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.