Vitals

Important and time-sensitive information

Timeline for Security Risk Analysis

Meaningful Use Attestation Requires Timely Security Risk Analysis

Recent changes to Meaningful Use relaxed the requirements for 2015 attestation to a 90 day reporting period, but the security risk analysis (SRA) must happen in 2015 and before attestation.

Protecting electronic health information has been a meaningful use objective since the CMS EHR Incentive Program's inception. Hidden in the comments for the Modified MU Stage 2 objectives in the CMS EHR Incentive Program; Stage 3 and Modifications to Meaningful Use in 2015 Through 2017; Final Rule, CMS states "it is acceptable for the security risk analysis to be conducted outside the EHR reporting period if the reporting period is less than one full year. However, the analysis or review must be conducted within the same calendar year as the EHR reporting period, and if the provider attests prior to the end of the calendar year, it must be conducted prior to the date of attestation."

The comments regarding this objective in the MU Stage 3 Final Rule is even clearer - "If the EHR reporting period is 90 days, it must be completed in the same calendar year. This may occur either before or during the EHR reporting period; or, if it occurs after the EHR reporting period, it must occur before the provider attests or before the end of the calendar year, whichever date comes first." Elizabeth Holland with CMS confirmed that the comments regarding this objective in MU Stage 3 are also applicable to the objective in MU Stage 2.

Since CMS's Registration and Attestation portal is not scheduled to accept 2015 meaningful use attestations until January 4, 2016, all eligible providers planning to attest to meaningful use in 2015 must complete their security risk analysis between January 1, 2015 and December 31, 2015.

If your security risk analysis found risks, particularly medium and/or high risks, please keep in mind that a plan to "implement security updates as necessary and correct identified security deficiencies as part of the EP's risk management process" is required. Often, this is an action plan, risk remediation plan, risk mitigation plan or similar document that lists the discovered vulnerabilities, recommended improvements and a target completion date. The plan should be updated routinely throughout the year as information security improvements are made.

If you need assistance with the security risk analysis or your risk remediation plan, please contact Kelly Stephens at kelly.stephens@synovim.org.

CONNECT WITH US

Synōvim Healthcare Solutions, Inc. is an independent, nonprofit organization sponsored by the Kansas Foundation for Medical Care (KFMC) and the Kansas Association for the Medically Underserved (KAMU). Now the most valued advisor in health information technology throughout the state of Kansas, Synōvim offers proven expertise in EHR implementation & optimization, Meaningful Use assistance and Information Systems Security Management. For more information, visit synovim.org.

This material was prepared by Kansas Foundation for Medical Care, Inc. as part of our work as the Kansas Regional Extension Center, under grant #90RC0003/01 from the Office of the National Coordinator, Department of Health & Human Services. SYNREC_2015_16