1. HealthIT.gov >
  2. For Providers & Professionals >
  3. How to Implement EHRs >
  4. Step 5: Achieve Meaningful Use >
  5. Core Measure 15

Step 5: Achieve Meaningful Use

  1. Assess Your Practice Readiness
  2. Plan Your Approach
  3. Select or Upgrade to a Certified EHR
  4. Conduct Training & Implement an EHR System
  5. Achieve Meaningful Use
  6. Continue Quality Improvement

Core Measure 15

Protect Electronic Health Information

Objective:

Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

Measure:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

CMS Resources

The following resources are available to help you meet the Protect Electronic Health Information meaningful use core measure:

CMS EHR Incentive Program Frequently Asked Questions

Lessons from the Field

 "In assisting rural clinics to meet meaningful use stage one requirements, we have realized several challenges associated with identifying and resolving privacy and security lapses. Utilizing existing tools is tremendously helpful in overcoming these challenges."

— Jason Felts, Health IT Practice Advisor, Oklahoma Foundation for Medical Quality External Links Disclaimer

A key to identifying outlying privacy and security risks is to utilize existing tools, such as the ONC Security Risk Assessment, in the analysis of a practice. An all-inclusive tool is essential for ensuring all areas of privacy and security are appropriately assessed. Once risks are identified, we recommend the use of sample policies and procedures that can be adjusted to fit the needs of each practice and assist in meeting the meaningful use requirement of protecting electronic health information.

"Many practices are unaware of the risks to electronic personal health information in an EHR environment. Utilizing tools that allow practices to identify risks in their environment and bring awareness to mitigation strategies is not only necessary for Meaningful Use, but also vital in safeguarding electronic health information."

Nicholas Heesters, Privacy and Security Specialist, Quality Insights of Delaware External Links Disclaimer

Smaller practices have been very receptive to assistance with risk analysis of privacy and security. By using the ONC Security Risk Assessment, a practice can be guided through the tool to identify risks that exist and develop an action plan with risk mitigation strategies.  After risks are identified, it is important to include a follow-up assessment to adjust and update the tool to reflect any progress or action taken. The use of the risk assessment tool coupled with industry best practices allows providers to identify where improvements are needed during the initial assessment and have a process in place that will allow for continued monitoring of risks.

National Learning Consortium Resources

The following resources are examples of tools that are used in the field today to protect electronic health information. These tools have been recommended by "boots-on-the-ground" professionals for use by others who have made the commitment to implement or upgrade to certified EHR systems.

Learn more about The National Learning Consortium.

Reference in this web site to any specific resources, tools, products, process, service, manufacturer, or company does not constitute its endorsement or recommendation by the U.S. Government or the U.S. Department of Health and Human Services.

National Learning Consortium Resources
Resource Name Description Source

ONC Security Risk Assessment

View

Security risk assessment tool intended to be a starting point for organizations to identify cyber security risks.

Office of the National Coordinator for Health Information Technology (ONC)

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Download

[PDF - 37 KB]

Guidance on the provisions in the HIPAA Security Rule to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI).

Office for Civil Rights (OCR)

Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices

Download

[PDF - 110 KB]

Guide intended to assist small health care practices in reassessing their existing health information security policies as they consider adopting and implementing emerging health IT capabilities.

Office of the National Coordinator for Health Information Technology (ONC)

Guide to Privacy and Security of Health Information, Chapter 2: Privacy & Security and Meaningful Use

Download

[PDF - 1.56 MB]

Guide that addresses the electronic health record (EHR) privacy and security meaningful use requirements; this chapter is a subsection of ONC's Guide to Privacy and Security of Health Information.

Office of the National Coordinator for Health Information Technology (ONC)

Health Information Privacy and Security 10 Step Plan

View

10 step plan for health information privacy and security that covers activities from preparation, risk analysis, action planning, risk management, and attesting for meaningful use.

Office of the National Coordinator for Health Information Technology (ONC)

Return to All Objectives

Quick Links

Preparing for
Meaningful Use
Stage 2

Objective:

Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.

Measure:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process

Source: Centers for Medicare & Medicaid Services [PDF - 256 KB]