To meet MIPS “Promoting Interoperability” requirements, a security risk assessment (SRA) must be completed by the end of 2025. Providers who complete the SRA, among other items, may be eligible for payment incentives in a subsequent year. The MIPS process is essentially a “Meet Requirements One Year,” “Get Incentives in Another Year.” The MIPS SRA requirement is a yearly one.
It’s another story with HIPAA. With HIPAA, the mentality that completing an SRA exactly once a year by or on a pre-determined date means you have checked off a really important box, is misguided. HHS notes that SRAs should be conducted continuously—and in particular in response to environmental or operational changes and/or security incidents. And environmental changes, operational changes, security incidents—so many of these just don’t occur on a predictable timeline.
Changes, incidents, what is actually happening in your operations at the ground level—these should determine when to conduct an SRA, not a date circled on a calendar.
By all means, if there are environmental and operational changes and/or security incidents that occur between now and year’s end, conducting one or more SRAs in response is in order. And if you haven’t completed an SRA in five years, you’d probably want to get cracking on it as soon as you can because of all of the changes that no doubt occurred in your environment in that time. The notion of getting an SRA done, each and every year, though, once and “before year’s end,” provides a false sense of security, forgive the phrase.
Learn more about risk assessment in our comprehensive guide.
