To meet the “Protect Electronic Health Information” core objective for Stage 1, eligible professionals (EP), eligible hospitals or critical access hospitals (CAH) must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
In Stage 2, in addition to meeting the same security risk analysis requirements as Stage 1, EPs and hospitals will also need to address the encryption and security of data stored in the certified EHR technology (CEHRT).
These steps may be completed outside or the EHR reporting period time frame but must take place no earlier than the start of the EHR reporting year and no later than the provider attestation date. For example, a EP who is reporting Meaningful Use for a 90-day EHR reporting period may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed no earlier than January 1st of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.
This meaningful use objective complements but does not impose new or expanded requirements on the HIPAA Security Rule. In accordance with the requirements under (45 CFR 164.308(a)(1)(ii)), providers are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Once the risk analysis is completed, providers must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.
Please note that a security risk analysis or review needs to be conducted during each EHR reporting year for Stage 1 and Stage 2 of meaningful use to ensure the privacy and security of their patients’ protected health information.
For more information about completing a security risk analysis, please see the following resources: Security Risk Assessment Tip Sheet:
Health Information Privacy and Security: A 10 Step Plan: http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan"