Security Risk Assessments and ePHI
Security Risk Assessment

Security Risk Assessments (SRA) and Electronic Protected Health Information (ePHI)

 Small physician offices and Critical Access Hospitals are some of the most vulnerable organizations for data breaches.


On April 23, 2013 the Health Care Compliance Association (HCCA) for the Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) released the initial overview of its Audit of HIPAA privacy, security, and breach notification compliance.  Findings from 115 performance audits starting in December of 2012 found that almost 100% of providers audited had at least one Security finding or potential breach, and two thirds of small offices did not have a complete and accurate risk assessment. The report also indicated clearly that the smallest providers had the hardest time meeting requirements in all areas. 


Both Stage 1 and Stage 2 Meaningful Use require that Eligible Professionals complete a Security Risk Assessment to ensure that electronic health information is adequately protected and to receive an incentive payment. After achieving Meaningful Use, each practice remains responsible for maintaining the minimum security standards set by the Centers for Medicare and Medicaid Services (CMS) or could risk losing their incentive payment.

What is the objective with SRAs?

To protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.


Meaningful Use measure

Stage 1: Eligible Professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.


Stage 2: Eligible Professionals need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest. 


What does this mean to your practice?

According to Core Measure 15, CFR 164.308(a) (1) Risk Assessment, there is one standard in the Administrative Safeguards Section of the Security Rule. That standard is to implement policies and procedures to prevent, detect, contain, and correct security violations. It is broken down into four categories:

  • Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
  • Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
  • Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


Meaningful Use doesn’t mandate compliance with HIPAA or even just the Security Rule in its entirety (though the Office for Civil Rights has stated that all ePHI is subject to the Security Rule). Instead, it mandates a risk assessment and that the risks be managed. From a high-level view, a standard security risk process that manages ePHI risks includes:

  • Review existing security protocols of PHI
  • Identify threats and vulnerabilities
  • Assess risks for likelihood and impact
  • Mitigate security risks
  • Monitor results

Security is about policies and procedures, and making sure staff is trained to utilize those procedures. Most security breaches are a direct result of human error. 


M-CEITA has helped thousands of providers ensure compliance with the Meaningful Use Risk Assessment requirement. We can help you, too.






Altarum logo that links to Altarum website


M-CEITA is facilitated by Altarum Institute. Copyright © 2016 Altarum Institute. All Rights Reserved.
Association Management Software Powered by YourMembership  ::  Legal