On a recent CMS/ONC eHealth Vendor Workgroup call, government representatives stated providers have until the 2015 meaningful use attestation deadline (February 29, 2016) to complete the required Security Risk Analysis (SRA) for the 2015 reporting period.
A CMS FAQ dated 12/11/15 states “the scope of this analysis must include the full EHR reporting period” but that it is “acceptable for the security risk analysis to be conducted outside the EHR reporting period; however, the analysis must be conducted for the certified EHR technology used during the EHR reporting period and the analysis or review must be conducted on an annual basis.”
This information contradicts earlier interpretations suggesting that the SRA must be completed before the end of the calendar year in which the reporting period occurred. However, regardless of any ambiguity, this is clear: a complete and correct SRA for 2015 is a requirement for all providers attesting to meaningful use. (Important note: If a provider chooses to complete their 2015 SRA in 2016, they must do another separate SRA for the 2016 reporting year as the FAQ clearly states there must be a unique SRA done for each reporting year.)
NextGen Healthcare strongly urges clients who have not completed their 2015 SRA to do so immediately and to keep a copy of the CMS FAQ in their audit binder.
Clients who need assistance in conducting their SRA or have concerns about whether their 2015 SRA meets the requirements may wish to consider the simplified SRA solution offered by NextGen Healthcare in partnership with HIPAA One®.
For more information on the NextGen Healthcare SRA solution read here or contact your sales representative.