The first HIPAA security implementation specification and core requirement number 15 for meaningful use attestation to qualify for Medicare and Medicaid incentive bonuses require a security risk analysis. This means that ALL covered entities seeking Medicaid or Medicare incentives under Meaningful Use MUST conduct a risk analysis or meaningful use risk assessment in order to qualify.
Meaningful Use core requirement #15 is the sole meaningful use measure that addresses the privacy and security of the patient information contained in your electronic health record systems. The language states:
"Conduct or review a security risk analysis per 45 CFR 164.308(a)(1)and implement security updates as necessary."
Source : http://www.healthsecuritysolutions.com/services-solutions/security-risk-analysis/