Security Risk Analysis for Meaningful Use Stage 1


You may have questions about what is a Security Risk Analysis as it relates to Meaningful Use. Adherence to HIPAA requirements does not automatically mean you can attest to having completed a Security Risk Analysis.                             



A Security Risk Analysis is a Core Measure for Stage 1 of Meaningful Use (MU).  It can be confusing as to how this measure relates to HIPAA and what it entails. During the audit process, some providers have been questioned about their Security Risk Analysis.  We hope to shed some light on the subject.


As per CMS, the MU objective is to:  Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.


The MU measure is:  Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.


There are no exclusions.


Specific steps must be followed to attest to a Security Risk Analysis.


A number of resources that may help you follow those steps and perform a Security Risk Analysis include:

This document and the referenced resources are meant to be a guide only.  You may wish to refer to a consultant in the field for further assistance.




  • Moving from paper to electronic records in behavioral health
  • Mental Health Group Therapy Notes
  • Patient Portal for Behavioral Health