Objective 1: Protect Electronic Health Information

Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRTClosed Certified EHR Technology, an EHR that conforms to the ONC's Health IT Certification Program criteria and standards through the implementation of appropriate technical, administrative, and physical safeguards

Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (including encryption) of data created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the provider’s risk management process.
Reporting EPsClosed Eligible Professional: a Medicaid provider who qualifies for the Medicaid Promoting Interoperability Program must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies to meet this measure.

Security Administrators can use Security Settings and Security Administrator Reports as part of a security risk analysis.

  • Configure the length and strength of user passwords
  • Set the number of failed log in attempts that can be performed and impose a waiting period before a log in can be attempted again or block a user from accessing Sevocity.
  • Specify the amount of time after which a user will be automatically logged out of the system due to no activity.

Auditable Events Report: displays user activity within Sevocity

Failed Login Report: displays a list of failed log in attempts by a user

PHI Export Report: displays a list of PHI exports performed by a user

Security Audit Report: displays user activity within a patient chart or encounter

Clinic Administrators can also use the Chart Access Report and User Access Report to view chart access activity by patient or user

  • A security risk analysis must be conducted at least once each calendar year.
  • The security risk analysis may be conducted outside the EHR reporting period, but the analysis must be unique for each reporting period, the scope must include the full EHR reporting period, and it must be conducted within the calendar year of the EHR reporting period.
  • An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each EHR reporting period. Any security updates and deficiencies that are identified should be included in the EP’s risk management process and implemented or corrected as dictated by that process.
  • At minimum, EPs should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
  • HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the HIPAA Security Rule: http://www.hhs.gov/hipaa/forprofessionals/security/guidance/guidance-risk-analysis/index.html
  • The Office of the National Coordinator for Health Information Technology (ONC) and OCR developed a free Security Risk Assessment (SRA) Tool to assist EPs: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

Return to 2020 Medicaid Promoting Interoperability Objectives

 

Didn't find the answer you were looking for?

Contact Sevocity Support 24/7 at 877‑777‑2298 or support@sevocity.com