Previously known as meaningful use, Promoting Interoperability is the current program from the Centers for Medicare & Medicaid Services (CMS) designed to emphasize interoperability to enable the exchange of health information between providers and patients, and to incentivize providers to make it easier for patients to obtain their medical records electronically.

According to CMS, eligible hospitals and critical access hospitals must successfully attest for Promoting Interoperability to avoid a downward Medicare payment adjustment.

To successfully attest for the security portion, providers must do the following on an annual basis:

  • Conduct a security risk analysis (SRA), or review a previous SRA, of certified electronic health record technology (CEHRT) within the calendar year of the electronic health record (EHR) reporting period (January 1-December 31). The SRA must evaluate the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that an organization creates, receives, maintains or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media or portable electronic media.
  • Implement updates as necessary at least once each calendar year and attest to conducting the analysis or review.
  • Conduct an SRA upon installation or upgrade to a new EHR system and include any security updates and deficiencies that are identified.
  • At a minimum, show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.

7 Steps to Attest for the Security Portion of Promoting Interoperability

Attesting for the Promoting Interoperability program may seem overwhelming, but it doesn’t need to be. Our expert team of healthcare compliance consultants are here to help – we specialize in conducting security risk assessments and documenting ePHI controls!

To help you prepare for Promoting Interoperability attestation, we will take you through 7 critical steps:

  1. Examine your policies and procedures around security.
  2. Examine your organization’s administrative, physical and technical controls.
  3. Review your EHR system’s security controls and technical safeguards.
  4. Perform an ePHI vulnerability assessment, including an inventory of locations, documentation of controls and security gaps.
  5. Provide you with access to our secure portal to store all required documentation for the SRA.
  6. Recommend how to address gaps and risks to be mitigated.
  7. Compile all assessment information and recommendations in a report that can be used to attest for the security portion of Promoting Interoperability.

All 7 steps will qualify as your organization’s SRA for Promoting Interoperability. And, bonus! This same SRA will also fulfill the requirements for HIPAA and the NIST Cybersecurity Framework. In addition to conducting the security risk audit, consider performing a mock audit to ensure your organization is fully prepared.

Ready to get started with your security risk assessment for Promoting Interoperability?

Tell us a bit about your needs and one of our experts will reach out to schedule a meeting:

For more on and Promoting Interoperability, check out this article on meaningful use published in Compliance Today.