HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Meaningful use Stage 2 calls for security risk analysis

Email This Post Print This Post

Yet another reason to conduct a security risk analysis and consider encrypting your health information—meaningful use Stage 2 requirements tell you to.

CMS in its final rule governing qualifications for incentives during the second stage of the meaningful use of EHRs program calls for entities to “conduct or review a security risk analysis” in accordance with requirements under the HIPAA Security Rule.

Specifically, the final rule points to the HIPAA Security Rule subpart:

  • 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in certified EHR technology (CEHRT) in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)

Further, entities qualifying for incentives in Stage 2 must implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process, according to the final rule.

CMS made a change in the final rule to the language of “data at rest” to specify its intention of data that is stored in CEHRT.

“Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis,” CMS wrote in the final rule. “We agree that this is an area of security that appears to need specific focus.”

CMS reported that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured, CMS added.

“It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure,” according to the final rule. “We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information (ePHI) as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

Categories : EHRs, Meaningful use

Leave a Reply