CMS Tip Sheet Provides Overview of Security Risk Analysis Requirement

CMS released a tip sheet entitled “Security Risk Analysis Tipsheet: Protecting Patients’ Health Information,” which outlines the important points eligible professionals should consider to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule. The HIPAA security rule is included in the meaningful use requirements of the Medicare and Medicaid electronic health records (EHR) Incentive Programs. The tip sheet details the common steps providers usually take in order to guarantee compliance, provides examples of potential security measures for particular areas of security concern, and discredits myths regarding the security risk analysis. However, as CMS notes, the tip sheet is meant to provide an overview of the risk analysis process; it is not meant to be a comprehensive how-to guide regarding compliance with the rule.

Security Risk Analysis Requirement

To receive payments under the Medicare and Medicaid EHR Incentive Programs, a provider must show it is meaningfully using their EHR’s over a period of time divided up into several stages. In Stage 1, among other requirements, the provider must conduct a security risk analysis in accordance with the HIPAA requirements and correct any identified shortfalls. Stage 2 requires the fulfillment of the same risk analysis as well as the encryption or increased security of data. Specifically, the security risk analysis requirement mandates “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” and calls for the “implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Common Steps

Although CMS emphasizes that there is not one proper and exact way to ensure compliance with the security rule, it does identify some common practices to best protect electronic protected health information (e-PHI). First, the tip sheet suggests that providers compare their existing medical security infrastructure with the legal requirements and industry best practices. Then, the providers are encouraged to identify any potential threats to privacy and security, assess the impact of those threats on confidentiality, integrity, and availability of the provider’s e-PHI, and to prioritize the risks based on severity of impact. Finally, CMS recommends creating a plan of action to sufficiently safeguard the e-PHI as well as to review the plan once implemented to correct any deficiencies.

Safeguards and Processes

In light of the security rule’s requirement of reducing risk to a reasonable and appropriate level with certain security measures, CMS provides examples of recognized security problem areas and potential safeguards in those areas. In terms of physical safeguards, for example, CMS proposes installing alarm systems to protect places where provider’s data is stored. CMS recommends training staff and monthly reviews as measures to ensure administrative security. CMS also suggests data encryption and secure passwords to protect access to EHR, written protocols to ensure HIPAA compliance, and plans for identifying and managing e-PHI access by vendors through the use of business agreements.


In order to further emphasize the import of a provider’s creation of a plan to safeguard EHR in accordance with their specific and unique risks, some of the myths addressed by CMS relate to the misconception that there is one right way to conduct a proper risk analysis. To the contrary, CMS points out the following: (1) there is no specific risk analysis a provider must follow; (2) a checklist will not suffice to fulfill the risk analysis requirement; and (3) a full security risk analysis must be performed even with a certified EHR. The CMS tip sheet also debunks the myth that small providers are exempt from security rule compliance, that a risk analysis must only be conducted once, and that the security rule requires the outsourcing of risk analysis.