____
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
____________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
__________________________________________
___________________________
Security Risk Analysis
Please upload a copy of your security risk analysis (SRA). It must be signed and dated
and must have been conducted or reviewed during the calendar year that corresponds to
the program year. The SRA must be re-administered (if your EHR has been upgraded) or
reviewed annually. If the SRA was conducted before or during the MU reporting period, it
must be reviewed to make sure that it remains valid for the entire MU reporting period.
You may use the free tool available on the HealthIT website but other formats are
acceptable. Sensitive information may be redacted from the uploaded copy in order to
protect patient privacy or data security.
Alternatively, you or your group/clinic may upload a letter containing the information
specified below about the SRA or its review. A copy of the actual SRA must be retained
by the professional or group/clinic for 7 years for DHCS auditing purposes.
SRA Letter Template
The tab key may be used to move to the next form field or line. Additional pages may be
attached if the space provided below is insufficient.
Date SRA completed or reviewed:
Person or entity that conducted or reviewed the SRA:
Describe the basic methodology for conducting or reviewing the SRA.
Security Risk Analysis Template v. 1.0
1