United States Health Information Knowledgebase

 

Protect Electronic Health Information

Eligible Professionals Core Set / Stage 1 / Number 15 of 15

Name:Protect Electronic Health Information
Item Type:Core and Menu Objective
Number:15 of 15
Stage:Stage 1
Date Issued:11/7/2010
Type:Eligible Professional Meaningul Use Core Measure
Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Definition:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion:No exclusion.
Attestation Requirements:YES / NO

Eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.
URI:
Registration Authority:Centers for Medicare & Medicaid Services
Administrative Attributes
Date Of Submission: 2012-11-01
Responsible Organization:Centers for Medicare & Medicaid Services
Submitting Organization:Centers for Medicare & Medicaid Services
Steward Organization:Centers for Medicare & Medicaid Services
Definition of Terms:Appropriate Technical Capabilities - A technical capability would be appropriate if it protected the electronic health information created or maintained by the certified EHR technology. All of these capabilities could be part of the certified EHR technology or outside systems and programs that support the privacy and security of certified EHR technology.
Additional Information:EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.

A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technology to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.
Scroll To Top