Base Measure: Security Risk Analysis
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT Certified EHR Technology, an EHR that conforms to the ONC's Health IT Certification Program criteria and standards in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process.
|
|
| Reporting | To meet this measure, the MIPS EC Eligible Clinician: a Medicare provider who qualifies for MIPS participation must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies. |
Security Administrators can use Security Settings and reports as part of a security risk analysis:
Security Settings
Go to Tools > Security Administration > Security Settings to:
- Configure the length and strength of user passwords
- Set the number of failed log in attempts that can be performed and impose a waiting period before a log in can be attempted again or block a user from accessing Sevocity.
- Specify the amount of time after which a user will be automatically logged out of the system due to no activity.
Reports
Go to Reports > Open Reporting Tool to access the following reports:
Auditable Events Report: displays user activity within Sevocity
Failed Login Report: displays a list of failed log in attempts by a user
PHI Export Report: displays a list of PHI exports performed by a user
Security Audit Report: displays user activity within a patient chart or encounter
Note
Clinic Administrators can also use the Chart Access Report and User Access Report to view chart access activity by user or patient..
Additional Information
- A security risk analysis must be conducted at least once each calendar year.
- The security risk analysis may be conducted outside the MIPS performance period, but the analysis must be unique for each MIPS performance period.
- Additional guidance on conducting a security risk analysis in accordance with the HIPAA Security Rule can be located here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Return to 2018 MIPS Promoting Interoperability Measures
Didn't find the answer you were looking for?
Contact Sevocity Support 24/7 at 877‑777‑2298 or support@sevocity.com