New Guidance from CMS for Completing a Security Risk Analysis

October 22, 2014

CMS released new guidance today for when to complete a security risk analysis. CMS said an analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. The steps may be completed outside of or during the EHR reporting period timeframe. CMS also said these steps must occur no earlier than the start of the reporting year and no later than the end of the reporting year.

CMS provided this example: “An eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014.”

CMS also noted that conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. A review must be conducted in subsequent reporting years or when there are changes to the practice or electronic systems.

For more information, read the new FAQ.

VHIT is ready to help you with a Security Risk Assessment in Virginia. Learn more about VHIT at or contact us at

« Return to the News