New CMS Guidance for When to Complete a Security Risk Analysis

On December 3, 2014, Centers for Medicare & Medicaid Services (CMS) issued new guidance for when to complete a security risk analysis as required to meet the Meaningful Use requirements in the Electronic Health Record (EHR) Incentive Program. This guidance noted that a security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside or during the Electronic Health Record (EHR) reporting period timeframe, but they must take place no earlier than the start of the EHR reporting year and no later than the date the provider submits their attestation for that EHR reporting period.

The new guidance also includes this example: An eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period, as long as it is completed between January 1st of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period.

1. While it is recommended that that the security risk analysis be done within each program year, the security risk analysis may be completed after the end of the program year as long as it is completed before the attestation.

2. The security risk analysis requirements must be met for each program’s year. It is not acceptable to use the same security risk analysis (a new security risk analysis or a review) for more than one program year.

For more information, please see CMS FAQ 10754.

Additional Resources – Texas Medicaid EHR Incentive Program

  •  Learn about program rules and steps by using the self-paced e-learning module at:
  •  Visit the Texas Medicaid Health IT website for updates on the EHR Incentive Program and other health IT initiatives.
  •  For more information about MU documentation or other program questions, contact: or call 1-855-831-6112.