We frequently get asked about the timing of when a Security Risk Assessment (SRA) needs to be performed for Meaningful Use. So here is some guidance:
SRA for Meaningful Use
A SRA needs to be performed before a provider attests for Meaningful Use. According to CMS – https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted. It is acceptable for the security risk analysis to be conducted outside the EHR reporting period; however, the analysis must be conducted for the certified EHR technology used during the EHR reporting period and the analysis or review must be conducted on an annual basis prior to the date of attestation. In other words, the provider must conduct a unique analysis or review applicable for the EHR reporting period and the scope of the analysis or review must include the full EHR reporting period. Any security updates and deficiencies that are identified in the review should be included in the provider’s risk management process and implemented or corrected as dictated by that process.
Timing of attestation for Meaningful Use
Furthermore, a provider has until the end of February, 2017 to attest for Meaningful Use for 2016. According to CMS – https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html?redirect=/ehrincentiveprograms
Dates to Remember
CY 2016 EHR Incentive Programs attestation deadline: February 28, 2017
What does this all mean?
If a provider has not attested for Meaningful Use yet for 2016, they have until February 28, 2017 to attest. Assuming that the provider has not attested for 2016 yet, they can still perform a SRA. In fact SRAs can be performed for Meaningful Use 2016 up until the end of February 2017 as long as it is performed BEFORE the provider attests for 2016.
So if you haven’t attested for Meaningful Use for 2016 and haven’t performed a SRA either, there is still time to do both.
Remember, one of the leading causes of failing a Meaningful Use audit is not performing a proper SRA for the reporting period.