MU Core Measure: Conduct a Security Risk Analysis – Meaningful Use Monday

Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money. Check out Lynn’s previous Meaningful Use Monday posts.

Perhaps because in the past, CMS has issued little guidance as to exactly what constitutes a security risk analysis for meaningful use purposes, this measure has created a great deal of confusion, and in some cases angst, among providers. Some EPs worry that this measure is so comprehensive that it requires hiring a consultant, while at the other end of the spectrum, others assume that they automatically satisfy this requirement because their EHR is certified to meet the privacy and security standards specified by ONC. Neither is the case. 

Core Meaningful Use Measure: Protect Electronic Health Information

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies prior to or during the reporting period. 

According to CMS, this measure is not designed to introduce new security requirements above and beyond what is required for a practice to be HIPAA compliant—the HIPAA security rule already demands a security analysis and remediation. However, this does not mean that EPs should just attest “Yes” without being able to back up their attestation with documentation of the process that was undertaken and the steps take to address deficiencies. 

To help clarify this for providers, ONC recently published the “Guide to Privacy and Security of Health Information,” which contains two chapters that specifically address meaningful use. It’s definitely worth a read!