We previously mentioned the proposed CMS changes for 2014 Meaningful Use Attestation. The changes will make it much easier for organizations to attest for both Meaningful Use Stage 1 and Stage 2 in 2014. A critical deadline is approaching for organizations that plan to attest in the second quarter 2014 (ending June 30th).
The Meaningful Use Security Risk Assessment must be completed before the end of the reporting period. Organizations that plan to attest for second quarter MUST complete their Security Risk Assessment before June 30, 2014.
Do I have to complete the Meaningful Use Risk Assessment prior to the end of the reporting period or can I do a Risk Assessment after the reporting period?
Guidelines from CMS make it clear that the Meaningful Use Risk Assessment MUST be performed prior to the end of the reporting period.
EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.
The CMS guidelines make is clear that an organization can perform the Risk Assessment before, during but not after the reporting period has ended.