menu toggle

The myths around a Security Risk Analysis


Security breaches are becoming more commonplace across many industries. Healthcare providers have the added burden of protecting patient privacy. Practices are required to perform a Security Risk Analysis at least annually – assessing the risk from within your practice as well as your vendors or business partners. To prevent scoring a zero in the MIPS Promoting Interoperability category, the Security Risk Analysis must be completed before the end of the calendar year. At a minimum healthcare providers should put a plan in place to mitigate risks identified in the analysis.

The Security Risk Analysis needs to cover administrative, physical, and technical safeguards, to ensure all patient information is protected. Practices must reassess when there is a significant change in infrastructure, technology, or staffing.

The Quality Reporting Engagement Group discussed some of the myths promoted on the website (as created by The Office of the National Coordinator for Health Information Technology).

Some Common Myths of the Security Risk Analysis (SRA)1:

  1. The security risk analysis is optional for small providers. 
  2. Simply installing a certified EHR fulfills the security risk analysis MU requirement. 
  3. My EHR vendor took care of everything I need to do about privacy and security.
  4. I have to outsource the security risk analysis.
  5. A checklist will suffice for the risk analysis requirement.
  6. There is a specific risk analysis method I must follow.
  7. My security risk analysis only needs to look at my EHR.
  8. I only need to do a security risk analysis once.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
  10. Each year, I’ll have to completely redo my security risk analysis.

The Quality Reporting Engagement Group has tools that can be used by a practice in conducting their own security risk analysis, as well as providing information on vendors to help with an SRA. To learn more, contact them at:


The information in this blog was taken from a webinar held in July 2021 titled: MIPS Webinar Cost/Feedback Reports & Security Risk Analysis. To view the webinar, click here.