There are 5 required core measures to meet. 2 of them are being postponed for 2017. Security Risk Assessment is one of the 3 that must be met starting in 2017. It is part of Advancing Care Information Performance Category Scoring Methodology Advancing Care Information Objectives and Measures and here is what it says:
Objective: Protect Patient Health Information.
Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.
Security Risk Analysis Measure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.
Where MACRA and HIPAA meet:
Failure to do so would result in a base score of zero under either the primary proposal or alternate outlined proposal, as well as a performance score of zero (discussed in section II.E.5.g. of the proposed rule (81 FR 28215) and an advancing care information performance category score of zero.