This is an article in a series of articles describing each objective to meet the requirements for the 2019 Medicaid Promoting Interoperability Objectives. You can access the other objectives by clicking the corresponding links below.
- Objective 1: Protect Patient Health Information <---
- Objective 2: Electronic Prescribing
- Objective 3: Clinical Decision Support
- Objective 4: Computarized Provider Order Entry
- Objective 5: Patient Electronic Access To Health Information
- Objective 6: Coordination Of Care Through Patient Engagement
- Objective 7: Health Information Exchange
- Objective 8: Public Health And Clinical Data Registry Reporting
Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider's risk management process.
We are adopting Objective 1: Protect Patient Health Information at § 495.24(d)(1)(i) for EPs and § 495.24(d)(1)(ii) for eligible hospitals and CAHs. We further specify that in order to meet this objective and measures, an EP, eligible hospital, or CAH must use the capabilities and standards of as defined for as defined CEHRT at § 495.4. We direct readers to section II.B.3 of this final rule with comment period for a discussion of the definition of CEHRT and a table referencing the capabilities and standards that must be used for each measure.
This is met by having a Security Risk Analysis performed. This is usually done with a 3rd Party.