There is a lot of confusion about the requirements for Meaningful Use. The program has been around for 5 years and has seen many changes.
We talk to potential clients and have recently heard the following quote many times:
I heard the Security Risk Analysis is no longer a requirement for Meaningful Use
I heard this statement so many times that I actually researched to make sure I didn’t miss a change to Meaningful Use that would make this statement true.
SRA Alive and Kicking
CMS has recently released changes to the Meaningful Use Stage 2 program for 2015-2017. It is clear that the Security Risk Analysis (SRA) is still a requirement for Meaningful Use. In fact, it is now the first Objective.
We’re Number 1
The SRA has always been a requirement for Meaningful Use. In 2011 Stage 1 the SRA was Objective 15. In 2014 Stage 2 the SRA was Objective 9. With the release of the revised Stage 2 Objectives for 2015-2017, the SRA moves up to Objective 1.
While this could just be symbolic, having the SRA as the first Objective makes it clear that the requirement to protect patient information is extremely important. With over 100 million patient records breached the government seems to be sending a message to healthcare organizations that they need to better protect patient information.
Not performing a thorough SRA is a leading cause of organizations failing a Meaningful Use audit. Now with the SRA as the first Objective, it is safe to assume that even more scrutiny will be placed on the SRA.