The monster behind measure number 9 - The Security Risk Assessment/Update

Meaningful use objective number 9 continues to stump many practices as far as what is required. So much so, that CMS has dedicated many resources to this one measure. Let’s review the measure and discuss what is really needed before you attest to meeting measure # 9.

The CMS Eligible Provider Specification Sheet, defines the measure as:

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.

If you are using Professional EHR 13 or later, you can be assured that all the 2014 certification criteria related to security were met. In fact, you can print out the proof by accessing the ONC website, searching for the Professional EHR product, click the name of the product you are using and you will get a full report of all the criteria passed for 2014 certification, including security. Unfortunately, it doesn't stop there! You must also evaluate your office environment, staff policies and procedures, etc. to fully complete the security assessment. Some examples of needed documentation include:

  • How do you control access to your office space during and after office hours? If an employee leaves or is terminated, how do you insure that the access is also terminated?
  •  How is PHI handled at your workstations? Do you have privacy screens? What are the Lock Out settings in the EHR? How do you address function access to PHI?
  • How often do you train staff on HIPAA requirements? When was the last training? What was covered? Do you have sufficient policies and procedures to address both HIPAA and the meaningful use requirements?
  • How often do you review and edit policies and procedures? How is this handled in your office (executive board meeting, designated committee, etc)?
  • Do you have a security action plan?  How often are backups done? How are they stored? If the backup is on an external device, is the data encrypted? Do you store files with PHI on your laptop (spreadsheets, analytical files, CCDs or patient chart exports? Are those files encrypted?
  • Are the planned actions, owners and dates documented in that security action plan? How often do you update it? You must review and update during your meaningful use reporting period at a minimum to meet the measure.

    The bullets above are just examples of topics to evaluate and include in your security assessment.

Though it may seem quite ominous, you have likely addressed much of it within your HIPAA compliance plan and regular policies and procedures.

In addition and the best news is that there is a free tool available, provided by the government to assist you in completing your security assessment. You can also contract with an external vendor to assist you in completing the security assessment. Please remember that regardless of which method you choose, you are still ultimately accountable. 

Have additional questions? Join the question and answer session on Sept. 5th posted on the Education page.