Medicaid Promoting Interoperability - Stage 3
|Objective:||Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of data created or maintained by Certified Electronic Health Records Technology (CEHRT) in accordance with requirements under 45 CFR 164.314(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.|
|Measure 1:||A security review should cover all securities, procedures, and policies that have been put in place to protect patient health information in both physical and electronic format.|
|Attestation:||An EP must be able to attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies to meet this measure.
Although Kareo EHR has security features designed to protect ePHI, an EP must conduct a comprehensive security review. CMS provides resources to assist EPs in this process. For more information see visit CMS and Manage Your EHR Account.
|Audit Documentation:||A security risk assessment is one of the first documents an auditor will ask a provider to submit as part of the supporting documentation requested. Ensure that both a printed and an electronic version of the SRA have been securely saved for a minimum of 6 years after your attestation. Your audit folder should provide necessary verification if you are selected for a CMS Incentive Program audit.|
|Guidance:||Providers have options to complete a Security Risk Analysis, including:|