The Centers for Medicare & Medicaid Services (CMS) has made a change to the timing of a Meaningful Use (MU) Security Risk Assessment. Previously, providers were required to perform a Security Risk Assessment either before or during the MU reporting period. The change gives more flexibility to providers on when they can perform the Security Risk Assessment.
The Security Risk Assessment can now take place either before, during or after the MU reporting period but MUST take place between January 1st and December 31st of the year that the provider is attesting for MU. Below is guidance from CMS
New CMS Guidance for When to Complete a Security Risk Analysis
A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.
For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014.