Security Risk Analysis for MIPS: How to Complete It Using Elation EHR

The Security Risk Analysis (SRA) is one of the most misunderstood and most frequently missed requirements in the MIPS Promoting Interoperability category. It is a required measure, which means failing to attest to it results in zero points for the entire PI category, not just for this individual measure.

For a category that carries 25% of your composite score, that is a devastating gap. Yet many small practices skip the SRA simply because they do not realize it is distinct from their general HIPAA compliance activities. This post explains exactly what the SRA requires, how it relates to Elation, and how to complete and document it for MIPS purposes.

What the Security Risk Analysis Actually Is?

The SRA is a formal review of the risks and vulnerabilities to the confidentiality, integrity, and availability of your electronic protected health information (ePHI). It is required under both HIPAA and MIPS, but the MIPS attestation is specific: you must attest that you have conducted or reviewed an SRA during the performance year. The SRA covers your entire electronic environment not just your EHR. That includes workstations, mobile devices, your network infrastructure, and any third-party systems that store or transmit patient data. CMS provides a free Security Risk Assessment Tool (available at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool) that walks small and medium practices through the full analysis with guided questions and documentation templates. Using this tool produces a report that serves as your attestation evidence.

How Elation Figures Into Your SRA

Elation Health is a cloud-based EHR, which means the infrastructure security servers, databases, network security, and encryption is managed by Elation, not your practice. Elation maintains HIPAA Business Associate Agreements (BAAs) with its customers and holds SOC 2 compliance certification, covering the security controls on its end of the ePHI lifecycle. However, your SRA must also cover the endpoints and processes on your end: the computers clinicians use to access Elation, the Wi-Fi network in your clinic, the passwords and access controls you have in place, and the training you provide to staff.

Elation's infrastructure security is not a substitute for your practice's own SRA, it informs one part of it.

Completing the SRA: A Practical Checklist

Practice managers tasked with the SRA should work through the following:

1. Inventory all systems that create, receive, maintain, or transmit ePHI including Elation, your billing software, your fax service, and any connected devices.
2. Identify vulnerabilities in each system which includes weak passwords, unencrypted devices, lack of multi-factor authentication, and insufficient access controls.
3. Assess the likelihood and impact of each vulnerability being exploited.
4. Implement and document mitigation measures for high-risk vulnerabilities.
5. Document the entire process in a written report and note the date of completion.

This report is what you reference when you attest to the SRA measure during MIPS submission. Store it securely and retain it for at least six years to comply with HIPAA retention requirements.

Making the SRA an Annual Habit

The SRA is not a one-and-done exercise, MIPS requires it annually. Practice managers should schedule the SRA as a recurring calendar event each January or February to ensure it is completed well before year-end. Some practices contract with a healthcare IT security firm to conduct the SRA on their behalf, which provides an independent assessment and a professional documentation package. This can be worth the cost for practices that lack internal IT expertise. Whatever approach you use, make sure the completion date falls within the MIPS performance year. An SRA completed in December of the prior year does not count for the current year's MIPS attestation.