CMS Promoting Interoperability and the Security Risk Analysis Attestation
5 min read · Last reviewed May 22, 2026
The program name has changed three times
What started as Meaningful Use under the HITECH Act became the Medicare and Medicaid EHR Incentive Programs, then the Promoting Interoperability Programs, and now (for eligible clinicians) the Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS). For eligible hospitals and critical access hospitals it remains the Medicare Promoting Interoperability Program.
Across all of those names, one measure has carried through unchanged in spirit: the Security Risk Analysis measure.
What the SRA measure requires
The CMS Security Risk Analysis tipsheet describes the measure. Eligible clinicians and eligible hospitals must:
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
In plain English: each reporting period, conduct or review a Security Risk Analysis covering all ePHI in the practice (not just the CEHRT-resident data) and address encryption decisions. Then act on the findings as part of the risk management process.
Each reporting period means each year for most filers
The Promoting Interoperability reporting period for most filers is a calendar year (or a defined 90-day or 180-day window depending on the program track in a given year — check the current year's CMS specifications). The SRA measure must be satisfied for that reporting period.
A practice that conducted an SRA in 2024 and attests for 2025 has not satisfied the measure for 2025 by pointing to the 2024 document. The "or review" language allows for a refresh rather than a from-scratch redo, but the refresh has to be conducted during the relevant reporting period and dated accordingly.
What the attestation actually says
The attestation is a yes/no on having conducted or reviewed the SRA, plus a date. There is no upload of the analysis itself at attestation time. CMS does not see the document until an audit.
The practice's responsibility is to retain the document so it is available if CMS audits the attestation. CMS audit selection runs on a sampling basis. Audits typically request:
- The dated risk analysis itself
- Evidence of risk management actions taken during the reporting period
- Documentation of encryption decisions under 164.312(a)(2)(iv)(2)(iv))
- Evidence of how the practice addressed identified deficiencies
What CMS does in an audit
CMS conducts pre-payment and post-payment audits through contractors. The post-payment process generally allows several years for review. A failed audit results in recoupment of incentive payments and (for MIPS) potential adjustment of payment.
The CMS Promoting Interoperability audit page describes the process. For the SRA measure specifically the most common audit findings are:
- Risk analysis not conducted during the reporting period
- Risk analysis missing required elements (no documented encryption decision, no risk management actions)
- Risk analysis not signed or dated
These are the same gaps OCR finds. The CMS and OCR records reinforce each other.
Scope: all ePHI, not just CEHRT
A common audit failure is a SRA that covers only the EHR data and ignores the rest of the practice's ePHI (laptops, removable media, email, RCM, billing service, telehealth, RPM). The CMS measure explicitly references all ePHI created or maintained by certified EHR technology, but the underlying HIPAA Security Rule risk analysis at 164.308(a)(1)(ii)(A)(1)(ii)(A)) covers all ePHI the covered entity holds. CMS auditors expect the SRA to cover the full scope.
Encryption specifically
The SRA measure singles out encryption. The risk analysis must include a documented decision on encryption of ePHI at rest and in transit under 164.312(a)(2)(iv)(2)(iv)) and 164.312(e)(2)(ii)(2)(ii)). A risk analysis that says nothing about encryption fails the measure even if the practice is in fact encrypted.
What is "implementing security updates as necessary"
The third part of the measure asks the practice to act on the findings. This is the Security Rule's risk management standard at 164.308(a)(1)(ii)(B)(1)(ii)(B)). Auditors look for evidence of remediation work tied to the analysis findings — closed items in a risk register, training events, policy updates, technical deployments.
A defensible SRA-for-attestation package
A practice attesting to the SRA measure should have, by the end of the reporting period:
- A dated risk analysis covering the reporting period
- A risk management plan with items addressed during the year
- Encryption decisions documented under the relevant Security Rule sections
- Signature by the Security Official
- Retention plan for at least six years per 164.316(b)(2)(i)(2)(i))
That document set covers both the CMS audit and an OCR audit, which is the practical economy: one binder, multiple audiences.
Restraint about claims
Conducting an SRA is one part of the broader compliance program. It does not certify the practice. It satisfies the CMS measure when conducted within the reporting period and retained for audit, but the measure is not a compliance certification.
How D3rx fits
D3rx SRA Binder Studio produces a dated, source-cited SRA aligned to the CMS Promoting Interoperability measure language and the underlying 164.308(a)(1)(1)) requirements, including explicit encryption decisions and a risk management plan. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance and for any CMS attestation.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- Merit-based Incentive Payment System (MIPS)https://qpp.cms.gov/mips/overview
- Medicare Promoting Interoperability Programhttps://www.cms.gov/regulations-guidance/promoting-interoperability/medicare
- CMS Security Risk Analysis tipsheethttps://www.cms.gov/regulations-guidance/promoting-interoperability/2024-medicare-promoting-interoperability-program-resources/security-risk-analysis-tipsheet
- CMS specificationshttps://www.cms.gov/regulations-guidance/promoting-interoperability/2024-promoting-interoperability-program
- 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
- CMS Promoting Interoperability audit pagehttps://www.cms.gov/regulations-guidance/promoting-interoperability/audits
- 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(e
- 164.316(b)(2)(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
How Often Should a Practice Conduct a HIPAA Risk Analysis?
6 min readBy SpecialtyHIPAA Risk Analysis for a Primary Care Practice
5 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readToolingThe HHS SRA Tool vs Paid HIPAA Risk Analysis Options
5 min readRelated across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAHow Often Should a Practice Conduct a HIPAA Risk Analysis?What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
- SRAThe HHS SRA Tool vs Paid HIPAA Risk Analysis OptionsWhat the free HHS/ONC Security Risk Assessment Tool actually does, where it stops, and how to evaluate paid alternatives without overpaying for what the free tool already covers.
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- GlossaryAdvanced APMAn Alternative Payment Model that meets QPP criteria (including downside risk) and qualifies participating clinicians for a 5% lump-sum incentive payment.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.