In early December, CMS released CMS FAQ 10754 just in time for the holidays. In a nutshell, the new guidance allows for the Meaningful Use (MU) required Security Risk Assessment (SRA) to fall outside the reporting period as long as it is conducted no earlier than January 1 of the program year, and no later than the provider attests, even if it is after December 31 of the reporting year.
The example they give: An eligible professional (EP) who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate SRA requirements outside of this 90-day period as long as it is completed between January 1 of the EHR reporting year and no later than the date the eligible professional submits the attestation for that EHR reporting period.
This is welcome relief for the procrastinators in the program. But be careful, it also sets up a potential problem next year at this time when the EP may feel like they have met the requirement for 2015 attestation by having an SRA completed in January 2015. It is NOT the intent of CMS to allow a single SRA to cover two program years. The statement used in the FAQ is: Please note that a security risk analysis or review needs to be conducted during each EHR reporting year for Stage 1 and Stage 2 of meaningful use to ensure the privacy and security of their patients’ protected health information.
The SRA requirements must be met for each program year. It is not acceptable to use the same SRA for more than one program year.
My advice is to create a Risk Management/Mitigation Plan for your organization that continuously monitors how your risk evolves thru the year and has a documented process to update and ratify the assessment. Then when the auditor comes knocking, you can show how you continuously monitor, assess, and mitigate risk thru out the year. Another option is to pick a reputable firm that has had SRAs stand up to the scrutiny of audit, and work with them to fill your needs.