This measure requires you to conduct or review a security risk analysis with respect to abiding by the HIPAA Security Rule, specifically the Security Management Process (45 CFR 164.308 (a)(1)). You also need to implement security updates as necessary and correct identified security deficiencies as part of your risk management process. You must conduct or review a security risk analysis and implement security updates as necessary at least once prior to the end of the EHR reporting period.
ONC Security Risk Analysis (SRA) Tool
In collaboration with the HHS Office for Civil Rights, the ONC released a tool to help practices conduct and document a comprehensive assessment to identify risks in their organizations. The SRA tool also produces a report that can be useful for audits.
Download the Security risk Analysis tool >>
Since your practice is unique and you know your practice best, you are ultimately responsible for security and privacy measures that are appropriate and reasonable for your practice's needs and capabilities.
For additional support, you may want to consult with a qualified professional who can use his or her expertise to help mitigate risks, identify potential areas for improving security, and train your staff. CMS has also created a Security Risk Analysis Tip Sheet to help you understand this requirement.
Make sure to keep any documentation you use for your records to prove you have completed this measure.
Exclusion (learn more)
After completing the requirements for this measure, you can manually indicate this in your Meaningful Use Dashboard.
Review the CMS specifications for more information about this measure.
For more information on the EHR Incentive program, you should visit the Meaningful Use Center.