Objective 1: Protect Patient Health Information
Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT Certified EHR Technology, an EHR that conforms to the ONC's Health IT Certification Program criteria and standards in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process. | |
Reporting | EPs Eligible Professional: a Medicaid provider who qualifies for the Medicaid Promoting Interoperability Program must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies to meet this measure. |
Security Administrators can use Security Settings and reports as part of a security risk analysis:
Go to Tools > Security Administration > Security Settings to:
- Configure the length and strength of user passwords
- Set the number of failed log in attempts that can be performed and impose a waiting period before a log in can be attempted again or block a user from accessing Sevocity.
- Specify the amount of time after which a user will be automatically logged out of the system due to no activity.
Go to Reports > Open Reporting Tool to access the following reports:
Auditable Events Report: displays user activity within Sevocity
Failed Login Report: displays a list of failed log in attempts by a user
PHI Export Report: displays a list of PHI exports performed by a user
Security Audit Report: displays user activity within a patient chart or encounter
Clinic Administrators can also use the Chart Access Report and User Access Report to view chart access activity by user or patient.
- A security risk analysis must be conducted at least once each calendar year.
- The security risk analysis may be conducted outside the reporting period, but the analysis must be unique for each reporting period.
- Additional guidance on conducting a security risk analysis in accordance with the HIPAA Security Rule can be located here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Return to 2018 Medicaid Promoting Interoperability Objectives
Didn't find the answer you were looking for?
Contact Sevocity Support 24/7 at 877‑777‑2298 or support@sevocity.com