Remember that the CMS measure states that providers must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Contrary to what many vendors are telling our Eligible Providers, simply using a Meaningful Use Certified EHR does not cover Core Measure 15. There is no MU Certified EHR software package that is capable of conducting a thorough risk analysis. A risk analysis includes evaluating, accessing, and updating appropriate administrative, technical, and physical controls. No program has the ability to do a walk-through of your office to evaluate the physical side of security. Are your monitors positioned correctly? Is your server in a secure location? Are there locks on the doors? It is necessary to have a thorough risk analysis performed by someone trained in privacy, security, and HIPAA rules and regulations. There are no exclusions to Measure 15.

To receive attestation, eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements, implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period.

A risk analysis process includes, but is not limited to, the following activities:

  • ·Evaluate the likelihood and impact of potential risks to e-PHI.
  • ·Implement appropriate security measures to address the risks identified in the risk analysis.
    • Document the chosen security measures and, where required, the rationale for adopting those measures.
    • Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process to regularly review records, detect security incidents, evaluates the effectiveness of security measures in place, and re-evaluates potential risks.