EHR technology is expected to deliver a very high standard of data security. While the EHR vendor is responsible for developing software technology that meets government standards for security, the provider is expected to understand the EHR technology’s security functionality as well as the security of electronic health information within their practice. The provider must review security and address any insufficiencies if they were to be found.
PI Objective and Calculation
Eligible clinicians (ECs) must attest YES to having conducted or reviewed a HIPAA security risk analysis(SRA) in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of data stored in Certified EHR Technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.
ECs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a new Edition of certified EHR Technology. The initial security risk analysis and testing may occur prior to the beginning of the first EHR reporting period using that certified EHR technology. In subsequent years, a provider must review the security risk analysis of the CEHRT and the administrative, physical, and technical safeguards implemented, and make updates to its analysis as necessary, but at least once per EHR reporting period.
The SRA or review can be performed anytime during the calendar year, even if outside the performance period, but cannot extend into the following year.
Promoting Interoperability Discussion
EHR technology must support the privacy and security of electronic health information created and maintained by the technology. To achieve certification, the EHR technology must meet a very specific list of security standards. RevolutionEHR has met or exceeded the minimum security standards. While RevolutionEHR can provide certain assurances, each practice must also evaluate their own security protocols.
A comprehensive HIPAA security risk assessment must identify the following:
- tools within the practice that hold electronic protected health information (ePHI),
- threats to that ePHI,
- vulnerabilities that would permit those threats to impact the ePHI,
- what the loss of ePHI would mean to the organization,
- controls that can be put in place to protect ePHI.
RevolutionEHR advises that upon completion of this risk assessment or review, the provider may attest to having met this objective. Ongoing security capability enhancements will be provided by RevolutionEHR for reassurance to the customers that the patient data in the system is protected to the published standards.
Meeting this objective is expected to present significant challenges based on scope and the time involved to perform a security risk assessment. Additionally, 2019 will require a “full” or “complete” SRA process to align with CMS guidance regarding the use of 2015 Edition CEHRT:
“An analysis must be conducted when 2015 Edition CEHRT is implemented. An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each MIPS performance period.”
To assist its customers, RevolutionEHR has partnered with Abyde and MetaStar to provide trusted, third-party assistance.
- Abyde offers a cloud-based process described on their website.
- MetaStar offers a virtual SRA process and can be contacted through their website.
If electing to keep this process inside the practice, utilization of the ONC’s SRA Tool could be helpful.