NY Medicaid EHR Incentive Program,

A CMS Promoting Interoperability Program

  • Presentation is also available in Portable Document Format (PDF)

Security Risk Analysis (SRA)

Q4 2018

Webinar Agenda

Meaningful Use Objective 1: Protect Patient Health Information
SRA Toolkit
Safety Areas to Consider
Common Considerations and Creating an Action Plan
Q&A Session

The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

Meaningful Use Objective 1: Protect Patient Health Information

NY Medicaid EHR Incentive Program, a CMS Promoting Interoperability Program

Through the NY Medicaid EHR Incentive Program, Eligible Hospitals and Eligible Professionals in New York who adopt, implement, or upgrade to certified EHR technology, and subsequently become meaningful users of the EHR technology, can qualify for financial incentives.

CMS Promoting Interoperability policy priorities

  • Improving quality, safety, efficiency, and reducing health disparities
  • Ensuring adequate privacy and security protection for personal health information
  • Improving population and public health
  • Engaging patients and families in their health
  • Improving care coordination

How does this benefit you?


What is a Security Risk Analysis?

Eligible Professionals (EPs) participating in the NY Medicaid EHR Incentive Program must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic protected health information held by that EP.

What is a Vulnerability?

"It is a flaw or weakness. It can be in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy."

What is a Threat?

"A threat is the potential for a person or thing to accidentally trigger or intentionally exploit a specific vulnerability."

What is a Risk?

"The U.S. Department of Health & Human Services describes risk as a combination of factors or events:

  1. What is the likelihood that a given threat will trigger or exploit a vulnerability?
  2. What is the resulting impact on the provider or organization?"

The SRA MUST be completed

Within the EHR reporting period calendar year


Prior to the Attestation Date

Security Areas to Consider

Security Areas

Security Areas
  • Administrative
  • Technical
  • Physical

Additional Considerations

  • Policies & Procedures
              = written documentation
  • Organizational Requirements
              = agreements with business associates and vendors

Common Considerations and Creating an Action Plan

Common Considerations

Define the scope
Identify potential threats and vulnerabilities
Assess the effectiveness of implemented security
Determine the likelihood of particular threats
Determine and assign risk levels
Prioritize remediation or mitigation
Document your risk analysis
Review and update your risk analysis

Create an Action Plan

Program Integrity

Providers must retain all attestation supporting documentation for no less than six years after each payment year.


  • Any reports that support the conclusion that you have met the objectives or exclusions.
  • A record to support the numerator and denominator values for the attested measures.

**Additional documentation may be requested, as needed, during the review process. For post payment audit guidance, contact hitech@omig.ny.gov


Office of the National Coordinator (ONC) website

Office of the National Coordinator (ONC) website

Certified EHR Technology (CEHRT) Requirements

  • Modified Stage 2
    • 2014 Edition CEHRT
    • 2015 Edition CEHRT
    • Combination of 2014 and 2015 CEHRT
  • Stage 3
    • Immunization Reporting:
      • 2015 Edition CEHRT
    • All Other Measures:
      • 2015 Edition CEHRT
      • Combination of 2014 and 2015 CEHRT

Effective 2019, all providers must use 2015 Edition CEHRT.
Visit https://chpl.healthit.gov/ to obtain CEHRT ID

Before you submit your Attestation!

Please make sure this information is up to date:
  • CMS Registration – phone & email contacts
  • ✓ Medicaid fee–for–service enrollment
  • ✓ Payee affiliation

Regional Extension Centers

New York City NYC Regional Electronic Adoption Center for Health (NYC REACH)

Website: www.nycreach.org
Email: pcip@health.nyc.gov
Phone: 347–396–4888
Outside of New York City New York eHealth Collaborative (NYeC)

Website: www.nyehealth.org

Email: hapsinfo@nyehealth.org
Phone: 646–619–6400

NY Medicaid EHR Incentive Program Support Teams
Phone: 1–877–646–5410

Option 1: ePACES, ETIN, MEIPASS Technical Issues, Enrollment
Email: meipasshelp@csra.com

Option 2: Calculations, Eligibility, Attestation Support and Review, Attestation Status Updates, General Program Questions
Email: hit@health.ny.gov

Option 3: Public Health Reporting Objective Guidance, MURPH Registration Support, Registry Reporting Status
Email: MUPublicHealthHelp@health.ny.gov

Website: http://health.ny.gov/ehr
Survey: https://www.surveymonkey.com/r/ny_ehr

Program Satisfaction Survey

NY Medicaid EHR Incentive Program
A CMS Promoting Interoperability Program