As with other stages of the electronic health records meaningful use program, the initial iteration of Stage 3 that was published as a proposed rule on March 20 includes an objective to protect electronic protected health information.

Policymakers propose to reuse in Stage 3 the security objective language used in Stage 2. But following confusion between security requirements under the Stage 2 language and requirements under the HIPAA security rule, more clarifications are added in subsequent explanations of the security objective in Stage 3.

The objective is: “Protect electronic protected health information (ePHI) created or maintained by the CEHRT (certified electronic health records technology) through the implementation of appropriate technical, administrative and physical safeguards.”

Also See: How Does Proposed Stage 3 MU Rule Handle Transitions of Care?

The accompanying measure requires an organization to conduct or review a security risk analysis in compliance with HIPAA security rule criteria. This will include addressing the security of data stored in CEHRT, which also will include addressing the question of whether to encrypt the stored data. Covered entities also would be required to implement security updates as necessary and correct identified deficiencies as part of a risk management process.

“Under this proposed measure, a risk analysis must assess the risks and vulnerabilities to ePHI created or maintained by the CEHRT and must be conducted or reviewed for each EHR reporting period, which as proposed in this rule would be a full calendar year, and any security updates and deficiencies identified should be included in the provider’s risk management process and implemented or corrected as dictated by the process.”

The Centers for Medicare and Medicaid Services, in the proposed rule, stresses that this measure has limited requirements to be done annually to protect ePHI created by or maintained in the certified EHR as part of Stage 3 compliance, and should not be confused with additional requirements in the HIPAA security rule. HIPAA covers ePHI in all forms of electronic media; Stage 3 focuses on certified EHRs being used to achieve meaningful use.

As far as timing of the security risk analysis, providers should conduct it upon installation of a certified EHR or upon an upgrade of an existing certified EHR. “The initial security risk analysis and testing may occur prior to the beginning of the first EHR reporting period using that certified EHR technology,” according to the rule.

The Office of the National Coordinator for Health Information Technology on its website offers guidance and a Security Risk Assessment Tool that was created with the HHS Office for Civil Rights. The tool is free, has 156 questions to consider, and suggests when corrective action may be required for certain items. “This tool is not required by the HIPAA security rule, but is one means by which providers and professionals in small and medium sized practices may perform a security risk analysis,” the rule notes.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access