Skip to main content


Kareo Help Center

Objective 1: Protect Patient Health Information


Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of electronic Patient Health Information (ePHI) created or maintained in CEHRT in accordance with requirements under 45 CFR 164.314(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For an Eligible Professional (EP) to successfully attest for Objective 1 they will need to conduct a security review that is in accordance with Health Insurance Portability and Accountability Act (HIPAA).

A security review should cover all securities, procedures, and policies that have been put in place to protect patient health information in both physical and electronic format.

Although Kareo EHR has security features designed to protect ePHI, an EP must conduct a comprehensive security review. CMS provides resources to assist EPs in this process.  For more information see visit CMS and Manage Your EHR Account.  


An EP must be able to attest “yes” to Objective 1 in order to fulfill the requirements. 

Audit Documentation

We recommend that a copy of your security review is placed in your audit folder and retained for a minimum of 6 years after your attestation. Your audit folder will provide necessary verification if you are selected for a CMS Incentive Program audit.