The Security Risk Analysis is not only required for attestation for meaningful use, it is required as part of your HIPAA information privacy and security procedures.
The Office of Inspector General stated in the current Work Plan that they will perform audits on doctors’ offices and their business associates to determine whether they adequately protect electronic health information created or maintained in their offices. In addition, covered entities receiving EHR incentive payments from CMS are receiving letters requesting to see copies of their most recent security risk analysis and security policies and procedures manual.
In fact, if CMS receives a complaint about your office, they’re obligated to investigate you. When they do, the first thing they want to see is the results of your most recent security risk analysis, your risk policies and procedures and your breach notification policies. Because the office of civil rights is serious about protecting private Information, you can expect that at some time in the near future you will be required to show proof of your compliance with the security rule in Title 2 of HIPAA.
Needless to say, if these documents are not in place, the fines can be excessive.