FAQs on completing the Security Risk Analysis

The Security Risk Analysis (SRA) is a prerequisite for participation in the MIPS Promoting Interoperability (PI) performance category. SRAs for Purdue Healthcare Advisors' Midwest clients and grant participants are conducted by CyberTAP, a Purdue University technical assistance program formed to meet the growing demand for cybersecurity services and education. CyberTAP offers extensive expertise in health IT security because many of its staff are former PHA security consultants well versed in the security needs of hospital systems, clinics, and small practices. 


The SRA requirement can be daunting for small practices that do not always have time or resources to conduct one. With the right information and appropriate planning, conducting your SRA can be a straightforward and beneficial process. Here are answers to some common SRA questions to get you started:

Why do I have to conduct an SRA?

The objective of the SRA requirement is to protect all patient health information, particularly electronic patient health information (ePHI).

When should I conduct my SRA?

You must conduct or review an SRA on an annual basis. You should conduct a full SRA if you have not done so previously, or if you have implemented a new EHR system. Otherwise you can instead review and update the prior analysis for changes in risks. You do not have to conduct your SRA during your MIPS 90-day performance period, but you must complete an analysis within the same calendar year of the performance period. It is likely that your first SRA will take longer than subsequent SRAs in later performance years.

What are the requirements?

MIPS requires that you conduct or review an SRA in accordance with the HIPAA Security Rule. The rule requires you to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, including data encryption. You must implement security updates as necessary and correct any security deficiencies that you identify. Please note that you do not need to complete all security updates and corrections immediately. Instead, develop and follow a plan to complete the updates and corrections.

What is the best strategy to complete my SRA?

There is no one correct way to conduct your SRA, and the best strategy for you will vary based on your practice’s needs. A common piece of advice for all practices is to develop a clear strategy before beginning your assessment. You may also consider separating your assessment and correction of security deficiencies into two distinct phases. A good place to start is with the Office of the National Coordinator for Health Information Technology and the HHS Office for Civil Rights’ Security Risk Assessment Tool, which was developed specifically for small and medium practices.

Where can I find more information?

To learn more about SRAs, visit CMS’ description of the measure here and clicking on “2019 MIPS PI Measures Security Risk Analysis.” For a more in-depth explanation of the SRA process, view Telligen’s QPP Resource Center presentation on the subject here. To understand how the SRA requirement fits into the PI performance category and MIPS as a whole, read about the 2019 PI requirements here. If you practice in the Midwest and wish to have CyberTAP conduct your SRA, fill out this online inquiry form.

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2019 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.