Objective 1: Protect Patient Health Information

Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards

Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRTClosed Certified EHR Technology, an EHR that conforms to the ONC's Health IT Certification Program criteria and standards in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process.
Reporting EPsClosed Eligible Professional: a Medicaid provider who qualifies for the Medicaid Promoting Interoperability Program must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies to meet this measure.

Security Administrators can use Security Settings and Security Administrator Reports as part of a security risk analysis.

  • Configure the length and strength of user passwords
  • Set the number of failed log in attempts that can be performed and impose a waiting period before a log in can be attempted again or block a user from accessing Sevocity.
  • Specify the amount of time after which a user will be automatically logged out of the system due to no activity.

Auditable Events Report: displays user activity within Sevocity

Failed Login Report: displays a list of failed log in attempts by a user

PHI Export Report: displays a list of PHI exports performed by a user

Security Audit Report: displays user activity within a patient chart or encounter

Clinic Administrators can also use the Chart Access Report and User Access Report to view chart access activity by patient or user

  • A security risk analysis must be conducted at least once each calendar year.
  • The security risk analysis may be conducted outside the EHR reporting period, but the analysis must be unique for each reporting period, the scope must include the full EHR reporting period, and it must be conducted within the calendar year of the EHR reporting period.
  • Additional guidance on conducting a security risk analysis in accordance with the HIPAA Security Rule can be located here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

Return to 2019 Medicaid Promoting Interoperability Objectives

 

Didn't find the answer you were looking for?

Contact Sevocity Support 24/7 at 877‑777‑2298 or support@sevocity.com