The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology

A-Z Index  |  Questions? 

  • Print this
  • Email this

How Do I Comply with Meaningful Use Requirements?

Your EHR or EHR components must meet ONC’s standards and implementation specifications, at a minimum, to be certified to support the achievement of meaningful use Stage 1 by eligible health care providers under the EHR Incentive Program regulations.  Along with many other criteria, ONC requires that an EHR meet nine security criteria to be certified.  An up-to-date list of certified EHR systems and components  is posted on ONC’s website.   

To receive the incentive payments, you must also demonstrate that you have met the criteria for the EHR Incentive Program’s privacy and security objective.  This objective, “ensure adequate privacy and security protections for personal heath information,” is the fifth and final health policy priority of the EHR Incentive Program.  The measure for Stage 1 aligns with HIPAA’s administrative safeguard to conduct a security risk assessment and correct any identified deficiencies.  In fact, the EHR Incentive Program’s only privacy and security measure for Stage 1 is to:

Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process.  

The EHR Incentive Program and the HIPAA Security Rule do not mandate how the risk analysis and updates should be done.  Instead, this is left up to the provider or organization.  There are numerous methods for performing risk analysis and risk management.  Below are commonly recommended steps for performing these tasks:  

  1. Identify the scope of the analysis
  2. Gather data
  3. Identify and document potential threats and vulnerabilities
  4. Assess current security measures
  5. Determine the likelihood of threat occurrence
  6. Determine the potential impact of threat occurrence
  7. Determine in the level of risk
  8. Identify security measure and finalize documentation
  9. Develop and implement a risk management plan
  10. Implement security measures
  11. Evaluate and maintain security measures

The risk analysis and risk management process must be conducted at least once prior to the beginning of the EHR reporting period.  You will need to attest to CMS or your State that you have conducted this analysis and have taken any corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.  Your local REC can be a resource in identifying the tools and performing the required risk analysis and mitigation.  

Related Resources:

Basics of Risk Analysis and Risk Management – CMS’ HIPAA Security Series document explains the requirements for risk analysis and risk management, the thought process behind those requirements, and possible ways to address these provisions.

Guidance on Risk Analysis Under the HIPAA Security Rule – This Office for Civil Rights (OCR) guidance document clarifies the expectations of HHS for organizations working to meet the HIPAA requirements for risk analysis.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed