Requirements & Regulations

M-CEITA’s Security Risk Analysis frequently serves health care organizations seeking to satisfy the following major federal requirements

Quality Payment Program (MACRA/MIPS) Promoting Interoperability/Advancing Care Information measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process.”

Eligible Clinicians must meet this requirement in order to receive the 50% base score and be able to receive a score in the Promoting Interoperability/Advancing Care Information category.

EHR Incentive Program (Promoting Interoperability/Meaningful Use) measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP, eligible hospital, or CAH’s risk management process.”

Eligible Professionals must meet the SRA requirement to attest to Promoting Interoperability/Meaningful Use (PI/MU) for a given year. The SRA must occur during the year for which they are attesting and prior to attestation.

HIPAA Security Rule (45 CFR § 164.300–316)

(The following regulations are referenced in MIPS and PI/MU requirements. Click here for the full text version of the HIPAA Security Rule, including all requirements and specifications.)

§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

§164.312(a)(2)(iv): Implement a mechanism to encrypt and decrypt electronic protected health information.

§164.306(d)(3) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes addressable implementation specifications, a covered entity or business associate must -

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate -

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate -

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

All covered entities are required to meet these specifications, and others, under the HIPAA Security Rule.

Other Regulations or Requirements

Your state or jurisdiction may enforce additional regulations regarding patient privacy and security beyond those of HIPAA or other federal regulations. Make sure you are aware of all laws and requirements affecting the privacy and security practices of your organization.

Contact M-CEITA today to learn more about how we can help your practice meet the requirements of HIPAA, MIPS, and Promoting Interoperability/Meaningful Use.

 

Click on an icon below to find out more about how M-CEITA can help your organization secure patient information and meet the security requirements of MIPS, Promoting Interoperability/Meaningful Use, and HIPAA.

Resources

No resources available.