Objective 1: Protect Patient Information
(Health IT Security Risk Assessment Tool) (Modified Stage 2)

The Protect Patient Information or Protect Electronic Protected Health Information (ePHI) objective requires eligible providers to perform a security risk analysis based on the following requirements:

Measure: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Security Risk Analysis includes:

  • Physical inspection report
  • List of security deficiencies and how they were mitigated
  • Standards followed when conducting security risk analysis
  • How is encryption/security of data at rest addressed? (Stage 2)
Modified Stage 2 vs Stage 3
Objective Measures Modified Stage 2 Stage 3
Objective 1: Protect Patient Information Perform Security Risk Analysis No change


Eligible Professional Medicaid EHR Incentive Program Modified Stage 2 Objectives and Measures for 2017: Objective 1 of 10

Security Risk Analysis Tip Sheet: Protect Patient Health Information