Protect Patient Health Information

Protect electronic health information created or maintained by the CEHRT through the implementation of appropriate technical capabilities.

Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP, eligible hospital, or CAH's risk management process.

We further specify that in order to meet this objective and measure, an EP, eligible hospital, or CAH must use the capabilities and standards of as defined for as defined CEHRT at § 495.4.


Exclusion: Providers may claim an exclusion for the second measure if for an EHR reporting period in 2015 they were scheduled to demonstrate Stage 1, which does not have an equivalent measure.