• Print

Step 5: Achieve Meaningful Use Stage 2

Protect Electronic Health Information

Objective:

Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.

Measure:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.

Changes from Meaningful Use Stage 1:

 Stage 1Stage 2
Objective Protect electronic health information created or maintained by the certified EHR Technology through the implementation of appropriate technical capabilities Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities
Measure Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process

Clinical Importance:

Maintaining the confidence of the personal health information of patients is an old and sacred responsibility for clinicians. One concern many practices have with implementing EHRs is the ability to provide the right amount of security for their patients records. Applying safeguards found in The HIPAA Privacy Rule can assist in avoiding common security gaps that lead to cyber attack or data loss which can help protect the people, information, technology, and practices.

CMS Resources:

The following resources are available to help you meet the Protect Electronic Health Information meaningful use core measure:

CMS EHR Incentive Program Frequently Asked Questions (FAQs)

National Learning Consortium Resources:

The NLC resources are examples of tools that are used in the field today, and that are recommended by “boots-on-the-ground” professionals. The NLC, in partnership with HealthIT.gov, shares this collective EHR implementation knowledge and resources throughout this site. 

National Learning Consortium Resources
Resource NameDescriptionSource

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Download

[PDF - 37 KB]

Guidance on the provisions in the HIPAA Security Rule to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI).

Office for Civil Rights (OCR)

Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices

Download

[PDF - 110 KB]

Guide intended to assist small health care practices in reassessing their existing health information security policies as they consider adopting and implementing emerging health IT capabilities.

Office of the National Coordinator for Health Information Technology (ONC)

Guide to Privacy and Security of Health Information, Chapter 2: Privacy & Security and Meaningful Use

Download

[PDF - 1.56 MB]

Guide that addresses the electronic health record (EHR) privacy and security meaningful use requirements; this chapter is a subsection of ONC's Guide to Privacy and Security of Health Information.

Office of the National Coordinator for Health Information Technology (ONC)

Health Information Privacy and Security 10 Step Plan

View

 

10 step plan for health information privacy and security that covers activities from preparation, risk analysis, action planning, risk management, and attesting for meaningful use.

Office of the National Coordinator for Health Information Technology (ONC)

The material in these guides and tools represents the collective EHR implementation experiences and knowledge gained directly from the field of ONC’s outreach programs (REC, Beacon, State HIE) and through the Health Information Technology Research Center (HITRC) Communities of Practice (CoPs) in their performance of technical support and EHR implementation assistance to primary care providers. The information contained in these resources is not intended to serve as legal advice nor should it substitute for legal counsel. The resource list is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.

Reference in this web site to any specific resources, tools, products, process, service, manufacturer, or company does not constitute its endorsement or recommendation by the U.S. Government or the U.S. Department of Health and Human Services.

 

Next Core Objective >