Security Risk Assessment for Meaningful Use/MACRA/MIPS, NCQA PCMH and HIPAA Compliance

ehr-sra-175Conducting security risk assessment is REQUIRED for all eligible professionals or hospitals attesting to Meaningful Use (MU) and MACRA/MIPS to receive positive or downward payment adjustments. Any organization that is a Covered Entity or Business Associate under HIPAA regulations MUST complete an annual security risk assessment, then maintain a supporting risk management plan for potential HHS/OCR audit. In addition, NCQA PCMH program provides 2 credits (TC5) recognition for completing your annual Security Risk Analysis. 

Why now?

Meaningful Use security audits are actively being conducted by Figliozzi and Company on pre-payment and post-payment basis, and several firms have forfeited large sums of incentive payments by failing to produce proper supporting documentation. In addition, the quality payment program a.k.a MACRA/MIPS requires security risk analysis measure to be completed. Also, HIPAA Phase 2 audits are specifically being focused on comprehensive security risk assessment of all ePHI produced, stored or transmitted. Theft and unauthorized transfer of medical records is a lucrative criminal enterprise, and reported data breaches have resulted in severe financial loss; risk assessment is one of the most effective methods to avoid these incidents. In addition, risk analysis is the first step in HIPAA security rule compliance efforts.

In addition, NCQA Patient-Centered Medical Home(PCMH) provides 2 Credits (TC5) for the practices which use an EHR system (or modules) that has been certified and issued an ONC Certification ID, conducts a security risk analysis, and implements security updates as necessary correcting identified security deficiencies.

Why EHR 2.0?

A Meaningful use security risk assessment checklist or HIPAA risk assessment checklist is not sufficient to handle advanced persistent threats on patient data. Certified security experts at EHR 2.0 take a systematic approach in meeting this requirement and include audit support guarantee. Decades of experience in successfully conducting a technical risk analysis,  and our best practice-based online toolkit platforms, with guidance drawn from various authoritative sources, help not only meet the compliance requirements but also secure your practice.

Ready to conduct SRA?  Choose one of the options below:

Online DIY Security Risk Assessment (SRA) Toolkit

  • Perform SRA in-house with user-friendly tool
  • Generate action plans from pre-populated solutions
  • Download and print reports instantly
  • Optional consulting service
  • Security awareness training for staff
  • External network and web vulnerability scan

Security Risk Analysis Consulting Service

  • Performed by a consultant with security certifications
  • Cutomized action plans and prioritizations
  • Documents required by auditors prepared on your behalf
  • CMS, HHS/OCR, & OIG audit support gurantee
  • Security awareness training for staff
  • External network and web vulnerability scan

Our step-by-step approach:hipaa-security-risk-analysis

  1. Defining the scope of the security risk analysis
  2. Inventorying ePHI systems
  3. Assessing current security measures and reviewing past security risk assessment report
  4. Determining the likelihood of threat occurrence
  5. Identifying risks using automated and manual vulnerability analysis
  6. Prioritizing implementation
  7. Documentation of findings
  8. Security risk assessment report
    • Summary Report
    • Action Plan
  9. Annual update

If you want to learn more about the process and regulatory requirements, we also recommend the following resources:

Top 10 Myths about SRA

Top 10 myths of security risk analysis by Health


Meaningful Use security requirements by CMS

Guide for conducting risk assessments by NIST

Basics of risk analysis and risk management by HHS


Conducting or reviewing a security risk analysis for eligible professionals, hospitals, or critical access hospitals’ core objective measures as part of modified Stage 2 or Stage 3.

Additional Resources

Sample stamp

Sample Meaningful Use security risk assessment template >>

DOWNLOAD Blue Square Button

Download our white paper on Meaningful Use security risk analysis >> 

Related Posts Crossword

 See our related blog posts on Meaningful Use security risk analysis >>

View Recorded

View on-demand webinar on Meaningful Use attestation >>