When OCR settled with a major health system in 2017 for $2.5 million after a breach involving an unencrypted laptop containing protected health information from its EHR system, the investigation revealed something critical: the organization had attested to meaningful use electronic health records requirements — including security measures — without actually completing the risk analysis those requirements demand. The overlap between the Medicare and Medicaid EHR Incentive Programs (now the Promoting Interoperability Programs) and HIPAA has been a source of confusion, and liability, for covered entities since the programs launched.

Where Meaningful Use Electronic Health Records Requirements Meet HIPAA

The meaningful use program, established under the HITECH Act of 2009, was designed to accelerate the adoption of certified electronic health records technology among eligible professionals and hospitals. But HITECH didn't exist in a vacuum. It was the same statute that strengthened HIPAA enforcement, expanded breach notification obligations, and extended direct liability to business associates.

At the core of the meaningful use requirements sits a mandate that every eligible provider conduct — or review — a security risk analysis as specified under 45 CFR § 164.308(a)(1). This isn't a suggestion. It's a core measure that has persisted through every stage of the program, from Stage 1 through the current Promoting Interoperability framework.

Healthcare organizations consistently struggle with the fact that this single requirement serves two masters. Fail to complete a thorough risk analysis, and you're out of compliance with both the HIPAA Security Rule and meaningful use attestation requirements. CMS has recouped millions in incentive payments from providers who attested without completing this step.

The Risk Analysis Requirement Most Providers Get Wrong

In my work with covered entities, I've seen risk analyses that amount to a one-page checklist completed by a non-technical office manager. That doesn't meet the standard. The HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) held by your organization.

When your EHR system stores, transmits, and processes PHI across multiple endpoints — patient portals, mobile devices, interfaces with labs, pharmacies, and business associates — the scope of that risk analysis is substantial. A checklist won't cut it.

OCR's guidance on risk analysis specifically states the assessment must be organization-wide, not limited to the EHR itself. Every system that touches ePHI, every workstation, every mobile device used by your workforce, and every connection to a business associate must be evaluated.

What a Compliant Risk Analysis Looks Like

  • Identify every location where ePHI is created, received, maintained, or transmitted — including within your certified EHR technology.
  • Identify and document reasonably anticipated threats and vulnerabilities to each system.
  • Assess current security measures and their effectiveness.
  • Determine the likelihood and impact of potential risks.
  • Assign risk levels and document remediation plans with timelines.
  • Review and update the analysis regularly — at minimum annually, and whenever significant changes occur.

If your organization attested to meaningful use electronic health records objectives without completing each of these steps, you may be exposed on two fronts: CMS recoupment and OCR enforcement.

HIPAA Privacy Rule Obligations That Intersect With EHR Use

Meaningful use didn't just trigger Security Rule concerns. The adoption of electronic health records created new Privacy Rule pressure points that many organizations still underestimate.

Under 45 CFR § 164.524, patients have the right to access their PHI in electronic form when it is maintained electronically. The meaningful use program reinforced this by requiring providers to give patients the ability to view, download, and transmit their health information. OCR has pursued enforcement actions against providers who failed to honor timely access requests — resulting in penalties ranging from $65,000 to over $200,000 under the Right of Access Initiative launched in 2019.

Your Notice of Privacy Practices must accurately reflect how your organization uses and discloses PHI through its EHR systems. If you've added a patient portal, enabled health information exchange, or integrated with third-party applications, your Notice should address those data flows.

The minimum necessary standard also applies. Just because your EHR gives a workforce member access to a patient's full record doesn't mean your policies should allow it. Role-based access controls aligned with job functions remain a Privacy Rule and Security Rule requirement under 45 CFR § 164.312(a)(1) and 45 CFR § 164.502(b).

Business Associate Obligations in the EHR Ecosystem

Your EHR vendor is a business associate. So is your health information exchange partner, your cloud hosting provider, and potentially any app that connects to your system through an API. Under the HIPAA Omnibus Rule of 2013, each of these entities must have a signed business associate agreement in place, and each bears direct liability for HIPAA violations.

Meaningful use accelerated the proliferation of these relationships. Organizations that rapidly adopted certified EHR technology often onboarded vendors and integrations without fully vetting their HIPAA compliance posture. If your organization hasn't reviewed its business associate agreements since initial EHR implementation, you're overdue.

Workforce Training: The Control That Ties It All Together

Under 45 CFR § 164.530(b), covered entities must train every member of the workforce on HIPAA policies and procedures relevant to their job functions. When your organization implements or upgrades an electronic health records system, that constitutes a material change requiring additional training.

This isn't a one-and-done orientation module. Your workforce needs to understand how to handle PHI within the EHR, how to recognize phishing attacks that target EHR credentials, and what to do if they suspect a breach. OCR enforcement actions repeatedly cite inadequate workforce training as a contributing factor.

Investing in comprehensive HIPAA training and certification ensures your team understands both the regulatory requirements and the practical risks associated with EHR use. A well-trained workforce is your most effective safeguard against HIPAA violations — and against the audit exposure that comes with meaningful use attestation.

Practical Steps to Align Your EHR Program With HIPAA

  • Complete and document a thorough, organization-wide risk analysis — don't treat it as a meaningful use checkbox.
  • Review and update your Notice of Privacy Practices to reflect current EHR capabilities, including patient portal access.
  • Audit role-based access controls within your EHR to enforce the minimum necessary standard.
  • Inventory all business associate relationships connected to your EHR ecosystem and verify current BAAs are in place.
  • Implement ongoing workforce training that addresses EHR-specific risks, not just general HIPAA awareness.
  • Retain documentation of all compliance activities for at least six years, as required under 45 CFR § 164.530(j).

The intersection of meaningful use electronic health records adoption and HIPAA compliance is where many organizations accumulate undetected risk. The programs were designed to work together, but only if your organization treats compliance as an integrated discipline rather than separate checkboxes.

If your team needs a structured approach to meeting these requirements, HIPAA Certify's workforce compliance platform provides the training, documentation, and accountability framework that covered entities need to close gaps before OCR finds them.