Security Risk Analysis Compliance Form printable pdf download

SECURITY RISK ANALYSIS COMPLIANCE FORM

This form is intended to be used by a Provider [an Eligible Professional (EP) or Eligible Hospital (EH)] as documentation in support

of the Meaningful Use (MU) Measure for “Protect Patient Health Information”. Protecting “Patient Health Information (PHI)”

includes conducting and/or reviewing a “risk analysis” of the Provider’s or organization’s activities, policies and procedures for

handling and maintaining the security of PHI. All responses included in this form are subject to verification during an on-site post-

payment audit and any responses found to be inaccurate, unsupportable or false may result in a failure of the MU measure and

recoupment of the incentive payment. (This form may be completed by an authorized staff person on behalf of the Provider.)

1. Provider Information

Provider’s Name & Professional Title:__________________________________________________ NPI:___________________

If EP, Name of Practice or Organization:

_________________________________________________________________________________ NPI:___________________

2. My Organization

b) Size (number of staff including Professional, Technical, Clerical

a) Type

& other support, FT, PT & volunteers)

___ FQHC/RHC

___ 5 or less

___ Group Practice

___ 6 - 10

___ Individual or Shared Office

___ 11 – 25

___ Outpatient Clinic

___ 26 – 50

___ Hospital

___ 51 – 100

___ 100+

3. Written Policies and Procedures

a) My organization has at least one formal written policy on the handling and security of PHI. ____Yes ___No

b) We have the following written policies and procedures (check all that apply):

___ HIPAA Compliance

___ IT Security

___ Maintaining and Protecting PHI

___ Business Associate’s Agreement (BAA)

___ Other (describe):____________________________________________________________________

c) We have required staff training on security and protecting PHI on at least an annual basis. ___Yes ___No

If “Yes”, then (check all that apply):

(i)

____ Training is conducted on a group/seminar basis

(ii)

____ Individual, self-study basis

(iii)

____ Other (explain)

_______________________________________________________________________________

4. CEHRT

a) Date my organization’s CEHRT was installed*:_____________________ (mm/yyyy)

b) Date of the most recent upgrade of my organization’s CEHRT: ___________________ (mm/yyyy)

*If you have not changed your CEHRT product/vendor since your very first EHR Incentive Program attestation, this will be the original implementation

date. If you changed product/vendor since your very first attestation, indicate the implementation date of the current CEHRT.

5. Risk Analysis

(Defined as: Phase I - auditing, reviewing and/or evaluating the organization’s written and informal practices, policies and procedures

regarding the handling, maintenance and protection of PHI, and Phase II – making a critical evaluation of the results of Phase I, and taking

any appropriate actions to mitigate or address any deficiencies noted in Phase-I including making appropriate changes or improvements in

the organization’s existing formal/written practices, policies and procedures.)

Risk Analyses for my organization, whether Phase-I and/or Phase-II, are conducted by (check all that apply):

_____Staff within the organization*

_______ Contractors

_____ Other (describe):__________________________________________________________

When was the last Phase-I Risk Analysis conducted for your organization? __________________ (mm/yyyy)

What period did the Phase-I Risk Analysis cover?

Review Period Begin Date:______________________ Review Period End Date:______________________

When was the last Phase-II Risk Analysis conducted for your organization? __________________ (mm/yyyy)

_____ No formal risk analysis (such as a formal written report) was conducted during the Program Year.

If you checked this item, please state reason

(example of an acceptable reason may include “small office [<5] and risk analysis matters

:_________________________________________________

addressed during mandatory all-staff meetings with notes/minutes taken)

_____________________________________________________________________________________________________

*This may include staff within the Provider’s immediate office. If the organization has different divisions, sections, offices, etc., or dedicated staff for

internal audits or compliance reviews, and staff from such areas of the organization perform the risk analyses, they should be viewed as “staff within

the organization”.

This form is being submitted in support of the attestation of the above named Provider for Program Year ______________.

If applicable, initial here: _______ “I am authorized to complete and sign this form on the Provider’s behalf”.

______________________________________________________________________

Printed Name & Title:

________________________________________________________

Signature:

Date:_____________________

Rev 06/30/16