The Centers for Medicare & Medicaid Services (CMS), in conjunction
with the HHS Office for Civil Rights (OCR), has recently issued an updated tipsheet
on conducting a security risk assessment for health care providers participating
in CMS’s Electronic Health Records (EHR) Incentive Programs. To receive incentive payments through the
program, providers must demonstrate meaningful use as defined by CMS. Stage 1 and 2 meaningful use standards include
the core objective that providers implement appropriate technical capabilities
to protect electronic protected health information (ePHI) created or maintained
through the provider’s EHR technology.
To meet this objective, providers must conduct a risk assessment as
required under the HIPAA Security Rule, implement security updates as
necessary, and correct identified security deficiencies as part of its risk
management process; in addition, Stage 2 meaningful use requires providers to
address the encryption/security of electronic data at rest. Providers participating in the EHR Incentive
Programs must conduct such a risk assessment every year (i.e., each reporting
period) to continue to meet meaningful use.
CMS’s tipsheet helps providers understand the risk assessment process
and goals. The Security Rule requires
providers to consider and evaluate particular security areas. The tipsheet provides examples of potential
measures a provider may want to implement to increase security of ePHI. The tipsheet also addresses certain common
myths about conducting a risk assessment.
As part of attesting having made meaningful use of their EHRs, providers
must attest to having completed the assessment every year. Providers may be penalized for failing to
conduct a risk assessment.