On December 3, 2014 CMS issued new guidance for when to complete a security risk analysis as required to meet the Meaningful Use requirements. This guidance noted that a Security Risk Analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.
The new guidance also includes this example. An eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period.
- While it is recommended that that the security risk analysis be done within each program year, the security risk analysis may be completed after the end of the program year as long as it is completed before the attestation.
- The security risk analysis requirements must be met for each programs year. It is not acceptable to use the same security risk analysis (a new security risk analysis or a review) for more than one program year.
For more information, please see CMS FAQ 10754