Security Risk Analysis

Although CMS removed Security Risk Analysis as a Promoting Interoperability measure, MIPS-eligible clinicians are still required to attest to performing a security risk analysis during the performance year. We’re providing you with information about this pseudomeasure because it’s frequently the subject of MIPS audits.

Eyefinity EHR 7.0 and later is 2015-edition "Cures Update" compliant as certified by an ONC-ACB and, therefore, contains the following features to protect your electronic health information. You may use some or all of these features as part of your comprehensive security plan.

Enabling Emergency Access in Eyefinity EHR

Eyefinity EHR contains a number of features to protect your electronic health information. You may use some or all of these features as part of your comprehensive security plan.

By default, passwords, auditing, encryption, and backup are enabled in Eyefinity EHR.

To grant individual users emergency access to view patient records, perform the following steps:

  1. Log in to on the web as an administrator.
  2. In the Practice Accounts section, click Create New Account to create a new user or click a user’s name to edit and existing user.
  3. Select Yes from the Allow Emergency Access radio buttons.
  4. Click Save.

When a user evokes emergency access, the access is recorded in the Audit Event Logs page.

Conduct or review a security risk analysis in accordance with the requirements in 45 CFR §164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by a certified EHR in accordance with requirements in 45 CFR §164.312(a)(2)(iv) and 45 CFR §164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS-eligible clinician’s risk management process.

Attesting yes to this measure is required to achieve a promoting interoperability score, but the measure does not contribute to the PI score.

To meet this measure, eligible clinicians must attest yes to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

The following are suggested roles for completing this measure:

  • Doctor
  • Office Manager
  • Technician
  • Front Desk
Protecting patient information is the responsibility of everyone in the practice. One person in the practice should be appointed the privacy officer, and that person should oversee the security risk analysis each calendar year.

Due to the scope of the measure, this audit advice is divided into sections.

Security Risk Analysis

Document and date your security risk analysis each year.

You cannot fulfill this measure simply by turning a security feature on or off. Your practice must conduct, at least once per year, a comprehensive security risk analysis in accordance with the requirements under HIPAA (45 CFR §164.308(a)(1)) and correct identified security deficiencies.

Eyefinity EHR and ExamWRITER include features, which you may choose to enable as part of your overall security plan, but you cannot stop there. Questions you would need to answer as part of a security audit include, but are not limited to:

  • Does the practice have antivirus or antimalware software installed, enabled, and current on every computer and server? Are operating system security patches up-to-date and installed on every workstation and the server?
  • Is the practice’s network protected by a firewall? How often are the settings verified?
  • Are mobile phones, tablets, laptops, desktops, and other devices used to access and transmit PHI password protected and encrypted?
  • How is PHI removed from mobile phones, tablets, laptops, desktops, and other devices—including printers and fax machines—before disposition?
  • Where is PHI collected, stored, maintained, and transmitted? What are the potential security threats and how likely are those threats?
  • Does the practice have business associate contracts with all vendors that outline who is responsible and how PHI is protected?
  • Is everyone in the practice trained in HIPAA? How is that education kept current?
  • Does the practice have written, up-to-date policies and procedures in place regarding protecting PHI?
  • How is the practice prepared to protect and restore PHI in case of natural or man-made disaster?
  • How are off-site backups protected?

HIPAA rules strictly forbid us or you from distilling the security analysis down to a simple checklist; however, HHS has provided a Security Risk Assessment Tool (requires a Windows PC).

Security needs vary drastically from practice to practice. Refer to the ONC Guide to Privacy and Security of Health Information for further guidance.

Encryption

Although encryption is not strictly required by 45 CFR §164.312 (a)(2)(iv), encryption is enabled by default in Eyefinity EHR and ExamWRITER. You may decrypt your ExamWRITER database, provided you meet the following criteria:

  • During your security risk analysis, you determine that encryption is not a reasonable and appropriate safeguard of the confidentiality, integrity, and availability of PHI;
  • You document your security risk determination; and
  • You implement an equivalent alternative measure that is reasonable and appropriate.

If you maintain PHI in other systems, you must also check the encryption settings in those systems.