CMS relaxes the requirements for conducting security risk analysis from “during the reporting period” to “anytime during the reporting year.”
To meet the “Protect Electronic Health Information” core objective for Stage 1, eligible professionals (EP), eligible hospitals or critical access hospitals (CAH) must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
In Stage 2, in addition to meeting the same security risk analysis requirements as Stage 1, EPs and hospitals will also need to address the encryption and security of data stored in the certified EHR technology (CEHRT).
These steps may be completed outside or the EHR reporting period timeframe but must take place no earlier than the start of the reporting year and end of the reporting year. For example, a EP who is reporting Meaningful use for a 90 day EHR reporting period may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed no earlier than January 1st and no later than December 31st of the EHR reporting year.
This meaningful use objective complements but does not impose new or expanded requirements on the HIPAA Security Rule. In accordance with the requirements under (45 CFR 164.308(a)(1)(ii)), providers are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Once the risk analysis is completed, providers must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.
Also, a security risk analysis or review needs to be conducted during each EHR reporting year for Stage 1 and Stage 2 of meaningful use to ensure the privacy and security of their patients’ protected health information.
For more information about completing a security risk analysis for meaningful use, please see ourmeaningful use security risk analysis service offering section.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017