Health Information Security Resources

Below are links to free resources for security-related issues. Bookmark this page and check back periodically; as more resources are discovered, this page will be updated.

These links and samples are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by KFMC. If we can help, please contact Kelly Stephens.

Security Rule - Federal Register

Security Training

Privacy/Security Incidents/Breaches

Business Associate Agreements

Policies and Procedures

Cloud Computing Environment

Disaster Preparedness and Recovery Plan



Meaningful Use - Modified Stage 2

2017 Program Requirements for Kansas Medicaid EHR Incentive Program

In October 2015, CMS released a final rule that specified criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to participate in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. The final rule’s provisions encompass 2015 through 2017 (Modified Stage 2) as well as Stage 3 in 2018 and beyond.

Here’s what you need to know about meeting EHR Incentive Programs requirements in 2017.

Objectives and Measures

  • All providers are required to attest to a single set of objectives and measures. This replaces the core and menu structure of previous stages.
  • For EPs, there are 10 objectives, and for eligible hospitals and CAHs, there are 9 objectives. View the 2017 Specification Sheets for Eligible Professionals and Eligible Hospitals and CAHs.
  • EPs must report a minimum of 6 Clinical Quality Measures.
  • In 2017, all providers must attest to objectives and measures using EHR technology certified to the 2014 Edition. If it is available, providers may also attest using EHR technology certified to the 2015 Edition, or a combination of the two.
  • Please note there are no alternate exclusions or specifications available.
  • There are changes to the measure calculations policy, which specifies that actions included in the numerator must occur within the EHR reporting period if that period is a full calendar year, or if it is less than a full calendar year, within the calendar year in which the EHR reporting period occurs. Specific measures affected are identified in the Additional Information section of the specification sheets.

Changes to Specific Objectives

  • Objective 8, Measure 2, Patient Electronic Access: For an EHR reporting period in 2017, more than 5 percent of unique patients seen by the EP during the EHR reporting period (or his or her authorized representatives) view, download or transmit to a third party their health information during the EHR reporting period.
  • Objective 9, Secure Messaging: For an EHR reporting period in 2017, for more than 5 percent of unique patients seen by the EP during the EHR reporting period, a secure message was sent using the electronic messaging function of CEHRT to the patient (or the patient-authorized representative), or in response to a secure message sent by the patient (or the patient-authorized representative) during the EHR reporting period.

EHR Reporting Period in 2017

  • The EHR reporting period is a minimum of any continuous 90-days between January 1 and December 31, 2017.
  • For the 2017 EHR reporting period, the attestation deadline is February 28, 2018.

2017 Modified Stage 2 Requirements Resources

Guide for Eligible Professionals Practicing in Multiple Locations

Health Information Exchange Fact Sheet

Medicaid Eligible Hospitals: Public Health Reporting in 2017

Medicaid Eligible Professionals: Public Health Reporting in 2017

Modified Stage 2 Objectives and Measures Summary

Patient Electronic Access Tip Sheet

Security Risk Analysis Tip Sheet



Medicaid Health IT

Meaningful Use (MU) Assistance – Medicaid Electronic Health Records Incentive Program (EHRIP) Education and Consultation

With funding from Kansas Department of Health and Environment, Division of Health Care Finance (KDHE/DHCF), KFMC is providing education and hands-on assistance to Medicaid providers to optimize their usage of electronic health information technology. KDHE/DHCF encourages the use of certified electronic health record technology (CEHRT) by all Medicaid providers. With the help of KFMC health IT consultants, Medicaid providers are able to not only meet the Meaningful Use objectives, thus earning the Medicaid EHRIP incentives, but learn to use the technology to improve patient and population health outcomes.

Free assistance is available to Medicaid providers (MDs, DOs, Nurse Practitioners, Nurse Midwives, and Dentists) for:

  • Medicaid EHRIP program education
  • EHRIP Registration and Attestation and Reporting
  • Certified EHR Technology Verification and Configuration
  • Current MU and Clinical Quality Measures Requirements
  • Meaningful Use Monitoring
  • Electronic Protected Health Information (EPHI) Security Risk Analysis
  • EPHI Security Risk Management Action Plan Development
  • Information Systems Security Policies and Procedures Review, Development and Updating
  • Certified EHR Technology Implementation including
    • Readiness Assessment
    • Vendor Selection
    • Implementation Assistance (Go Live)
  • Process Analysis and Redesign
  • Health Information Support.

For more information on KFMC’s work with Medicaid HIT, please contact Kelly Stephens.


Health IT Team

Kelly Stephens
Health IT Project Manager

Gary Carder
Health IT Consultant

Beckie Archer
Health IT Security Consultant