Measure 15 Protect Electronic Health Information
15 of 15 Core
Protect Electronic Health Information
|
|
Objective
|
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
|
Measure
|
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
|
Exclusion
|
No exclusion.
|
Definition of Terms
Appropriate Technical Capabilities - A technical capability would be appropriate if it protected the electronic health information created or maintained by the certified EHR technology. All of these capabilities could be part of the certified EHR technology or outside systems and programs support the privacy and security of certified EHR technology.
Attestation Requirements
YES / NO
Eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.
Additional Information
• EP's must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur for each subsequent reporting period.
-
A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technbolgy to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies in the risk anlaysis.