|
Yes, it is acceptable for the security risk analysis to be conducted outside the EHR reporting period; however, the analysis must be conducted for the certified EHR technology used during the EHR reporting period and the analysis or review must be conducted on an annual basis. In other words, the provider must conduct a unique analysis or review applicable for the EHR reporting period and the scope of the analysis or review must include the full EHR reporting period. The analysis or review for the EHR reporting period must be conducted prior to the date of attestation.
Created 12/11/2015
(FAQ13649)
|
