Security Risk Assessment

PHIEligible Professionals, Acute Care Hospitals and Critical Access Hospitals will be required to respond to this Modified Stage 2 Meaningful Use Objective –  Protect Patient Health Information.

Objective:     Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

Measure:     Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Exclusion:     No Exclusion is allowed for this Modified Stage 2  objective

Attestation Requirement:     Yes/No Response

Required Supporting Document:    SRA Tool Summary Report from Office of National Coordinator (ONC) or equivalent.

Additional Information

  • Since Program Year 2015, Mississippi requires the Security Risk Assessment meet the minimum criteria as used in the Office Of National Coordinator SRA tool.  Clinics may hire an outside firm or use third-party vendor to complete the Security Risk Assessment tool.
  • Clinics/Locations must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary each year.  This does not have to be completed during an EHR reporting period.  However, it must be done within a particular calendar year (January 1 – December 31) in order to be counted for that year.   A new review would have to occur for each subsequent calendar year.
  • A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technology to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.

This particular objective will require a Yes/No response in the State Level Registry.

The summary report will be a supporting document that must be attached during the attestation process.  During the pre-payment verification process, we will look for a completed analysis (meaning, that every question was answered Yes/No and that comments were included as part of the response).  We will also verify the completion date (prior to December 31st) for that calendar year.

Security Risk Assessment Videos

How Can I Learn More Before Getting Started?

For more information on what a risk assessment may involve, please view the following resources:

Security 101: Security Risk Analysis – Risk Assessment

Security 101: Contingency Planning

To learn how to use the SRA Tool, view our Tutorial video, which shows the basics of using and navigating the tool.



Download and install the Security Risk Assessment Tool from   SRA Tool Logo



What is Risk Assessment?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.  Visit the Office for Civil Rights’ – Privacy and Security  for additional information.