Objective 1: Protect Patient Information

The Protect Patient Information or Protect Electronic Protected Health Information (ePHI) objective requires eligible providers to perform a security risk analysis based on the following requirements:

Measure: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Security Risk Analysis includes:

  • Physical inspection report
  • List of security deficiencies and how they were mitigated
  • Standards followed when conducting security risk analysis
  • How is encryption/security of data at rest addressed?

For 2020: Complete an updated SRA AND upload the SRA to your attestation documents in eMIPP.

For 2021: Complete and upload SRA to attestation documents for 2021 by 12/31/2021 (can be uploaded under Track tab in eMIPP if it is after attestation is submitted).


Security Risk Assessment Tool

Security Risk Analysis Tip Sheet: Protect Patient Health Information

2020 and 2021 Protect Patient Health Information (Objective 1 of 8)