Privacy and Security

Dear Provider,

As part of your overall Meaningful Use (MU) education of the HITREC Project's Stage 3 we are providing you with a copy of the Meaningful Use Core and Menu Set Criteria. The information contained in the MU-EP SCC-AmbulatoryOnlyGrid document is adopted from the website, and offers the eligible provider (EP) guidelines for the Certification Criteria and Standards for the achievement of MU. 

In order to assist you with the attainment of the Objective 15 from the Meaningful Use Core Set of Stage 1 - Protect health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities, and its measure - conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management, the following Risk Assessment Tool Kit has been adopted from the ONC HITRC Collaboration CoP - Privacy and Security:

a. HIT Security Risk Assessment Questionnaire This questionnaire is a four step process that assists the practice to identify their level of security risk with remediation guidelines.

b. Privacy and Security Checklist with Guidance This checklist provides guidance for most of the requirements.

c. CYBERSECURITY: The protection of data systems in networks that connect to the internet, 10 Best Practices for the Small Healthcare Environment This document provides basic cybersecurity guidelines and checklist to protect the confidentiality, interity and availability of the electronic health record system.  Some of these guidelines may need to be modified or reviewed for applicability at each practice.

d. Information Security Policies - Template This document provides a starting point of information security policies for the practices to adopt and implement in accordance to the requirements proposed by the HITECH Act. 

e. Information Security Policies - Template Instructions This document provides instructions how to use the Information Security Policies Template.

f. Sample Business Associate Agreement Provisions This document includes sample business associate agreement provisions to help covered entities and business associates more easily comply with the business associate contract requirements.

The above mentioned Risk Assessment Tool Kit has been provided to the PSM HITREC by ONC for the purpose of identifying risk to electronic personal health information (ePHI) and identifying steps to take to mitigate those identied risks.  Some of the tools are pre-populated with risks typically identified in an organization similar to yours.  Completion of this tool kit, in and of itself, does not guarantee that an organization will meet the measure of sucess fo the privacy and security objective required for Meaningful Use.  It does, however, provides a foundation for meeting the measure of success and staring a Risk Analysis and Risk Management program as required pursuant to the HIPAA Security Rule.

ONC also has more information regarding privacy and security at

We hope you find this information useful and that it assists you in preparing your practice for the attainment of Meaningful Use. 


Copyright © 2011 PSM-HITREC. All Rights Reserved. Funded by: USHHS, Office of the National Coordinator for Health Information Technology (ONC).