Organizations That Handle PHI Must Now Attest to SAFER Guides—Here’s Why and How
Published November 11, 2022

Organizations That Handle PHI Must Now Attest to SAFER Guides—Here’s Why and How

Many of you may have never heard of the SAFER Guides or know how they are used. However, as of 2022, the Centers for Medicare & Medicaid Services (CMS) requires attestation to the SAFER Guides for compliance with the Medicare Promoting Interoperability Program. According to CMS, attestation for the calendar year 2022 requires a simple “Yes” or “No” response. But, what exactly are the SAFER Guides? Who is required to attest? Why is attestation required now? How is attestation completed? And how can you get help? The following article will offer clarity and insight to navigate these questions and ensure you have the necessary information to complete the attestation process.

What are the SAFER Guides?

Although the attestation requirement is new, the Safety Assurance Factors for EHR Resilience Guides (SAFER Guides) have been around for years. They were released by the Office of the National Coordinator (ONC) in 2014 as guidelines to enhance the security and reliability of Electronic Health Record (EHR) systems. In 2016 the guides were updated and have remained the same since. The guides, which are available for public use, are designed for organizations that touch and transfer protected health information (PHI) to use in conducting security self-assessments. Each guide is built as an interactive PDF for self-assessment completion, but requires collaboration from all areas of an organization. Each guide lists domains with accompanying questions, to which an entity is required to select one of the following levels of implementation: Fully in all areas, Partially in some areas, or Not implemented.

Each question includes a worksheet that allows for assessment notes, follow-up action, and personnel responsible for action. The worksheets are created to provide a template to respond to each question, and to provide examples of best practices and the positions of individuals who might be associated with the control in question.

There are three categories of SAFER Guides with a total of nine individual guides covering the various security aspects of an organization:

  1. Foundational Guides
    1. High-Priority Practice
    2. Organizational Responsibilities
  2. Infrastructure Guides
    1. Contingency Planning
    2. System Configuration
    3. System Interfaces
  3. Clinical Process Guides
    1. Patient Identification
    2. Computerized Provider Order Entry With Decision Support
    3. Test Results Reporting and Follow-Up
    4. Clinician Communication

Who is required to attest?

All entities currently benefiting from the Medicare Promoting Interoperability Program are now required to attest to the SAFER Guides in addition to the already required annual Security Risk Analysis and Certified Electronic Health Record Technology (CEHRT) attestation. This new requirement includes attestation from both eligible hospitals and Critical Access Hospitals (CAHs).

Why is attestation required now?

On October 1, 2021, CMS published a final rule that included a notice of required attestation to SAFER Guides to meet the Medicare Promoting Interoperability Program in 2022.

One reason for this enhanced security measure is the increase in cybercrime in the healthcare industry. According to an October 2022 HIPAA Journal article:

Between 2017 and 2021, ransomware attacks increased by 109%, and 2022 has seen a 13% year-over-year increase in attacks. . . . 57% of healthcare organizations said they had experienced a ransomware attack at some point in the past 3 years. 86% of healthcare organizations that suffered a ransomware attack suffered operational outages as a direct result of the attack, with 25% of organizations that experienced an attack forced to completely halt operations. 60% said that some business processes were disrupted due to the attack.

Using SAFER Guides for compliance with the Medicare Promoting Interoperability Program, requires healthcare organizations to act on and implement standard measures to protect themselves and the information they process.

How do I attest?

For calendar year 2022 attestation, entities must attest “Yes” or “No” to whether or not they have completed all nine SAFER Guides requirements. Each required entity must complete the self-assessment worksheets referenced earlier. Regardless of the response, the answer will not affect their overall program score. To complete their attestation, entities must respond through CMS’ QualityNet Secure Portal. For new or previously unenrolled entities, CMS has developed a detailed guide to enroll and log in to the QualityNet Secure Portal.

How can PYA help?

Although the completion of SAFER Guides does not serve as a replacement for HIPAA Security Risk Analysis, our experts can help crosswalk the controls to ensure that both requirements are met. The SAFER Guides were created to be completed as a self-assessment, but our team is equipped to provide clarity and navigation to help organizations complete attestations.

PYA specializes in information technology (IT) security assessments and mitigation in the healthcare industry. We partner with our clients to provide IT risk management, process assessments, and data governance. Our IT subject matter experts have the knowledge and experience to provide education, navigation, and attestation assistance.

If you would like assistance with cybersecurity risk mitigation and strategies, or any matter involving IT needs, one of our executive contacts would be happy to assist. You may email them below, or call (800) 270-9629.

Executive Contacts

Interested in Learning More?

Sign Up for Our Latest Thought Leadership!



    Select Your Subscriptions