Quick Answer: CMS’s 2026 QPP Final Rule introduces a new mandatory risk management attestation requirement for MIPS Promoting Interoperability (formerly Meaningful Use). The updated HIPAA Security Rule now requires encryption, multifactor authentication, and 24-hour breach notification for business associatesâall of which directly impact what qualifies as a valid Security Risk Analysis. However, it’s critical to understand that a Security Risk Analysis satisfies only ONE measure within the Promoting Interoperability category, which itself represents just 25% of your total MIPS score. MIPS is divided into Quality (30%), Cost (30%), Promoting Interoperability (25%), and Improvement Activities (15%).

MIPS SRA Requirements 2026: What Changed in the Final Rule

The landscape of MIPS compliance is shifting in 2026, and if you’re a healthcare provider or compliance officer relying on a Security Risk Analysis (SRA) to satisfy your Promoting Interoperability requirements, you need to understand what’s new. The Centers for Medicare & Medicaid Services (CMS) released its final 2026 Quality Payment Program rule in late 2024, introducing stricter attestation requirements, enhanced data security expectations, and tighter audit validation standardsâall building on the HIPAA Security Rule amendments that took effect January 1, 2024.

Many providers still treat the Security Risk Analysis as a “one-and-done” compliance checkbox. That’s a dangerous misconception. Not only is the SRA one measure within a larger category (Promoting Interoperability at 25% of MIPS), but the 2026 changes mean your 2023 or 2024 SRA may no longer meet the attestation standard. Between updated HIPAA Security requirements, the new risk management attestation mandate, and CMS’s enhanced audit validation process, organizations need a refreshed, defensible SRA by attestation time.

This guide walks you through the 2026 MIPS SRA landscape: what changed, what you must document, how CMS will validate it, and what timeline you’re working with. Whether you’re just starting your SRA or updating an existing one, understanding these changes will help you avoid audit findings and maintain your MIPS performance category status.

2026 QPP Final Rule: Key SRA Changes

The 2026 QPP final rule, finalized in November 2024, introduces a critical new requirement for providers choosing the Promoting Interoperability measure: risk management attestation. This goes beyond simply conducting an SRA; you must now attest that your organization has taken specific actions to manage the risks your SRA identified.

Under the previous framework, an SRA was largely a documentation exercise. Providers would contract with a vendor, receive a report, and file it away. CMS’s audit tolerance for this approach was evolving, but the 2026 rule formalizes what auditors have increasingly expected: evidence that risks weren’t just documented but actively addressed.

The new attestation requirement asks: “Did your organization conduct a Security Risk Analysis, and did it lead to documented risk management actions?” This means your 2026 attestation must be supported by:

A current (2025 or 2026) SRA aligned with the NIST Cybersecurity Framework and HIPAA Security Risk Analysis standards
SAFER Guides documentation (updated 2024 versions that reflect the new HIPAA Security Rule requirements)
Detailed risk response plans for medium- and high-risk findings
Evidence of implementation (policy updates, tool deployments, training records)
Board or executive-level sign-off on your risk management strategy

The SAFER GuidesâCMS’s “Standards for Safeguarding Patient Health Information”âwere updated in early 2024 to align with the HIPAA Security Rule amendments. Your SRA must now reference these updated standards, particularly around encryption, multifactor authentication, and third-party risk management. If your SRA was conducted in 2023 or early 2024, before the SAFER Guides refresh, it likely needs updating for 2026 attestation.

Why this matters: CMS auditors now have a concrete checklist (the updated SAFER Guides) to validate your SRA’s completeness. An SRA that doesn’t address the 2024 SAFER Guides topicsâespecially encryption standards, MFA implementation, and breach notification timelinesâwill face audit scrutiny. The old approach of “we documented risks and reported them to the board” won’t suffice; you must show actions taken and timelines for implementation.

HIPAA Security Rule 2026 Updates and MIPS Impact

To understand why 2026 SRA requirements are stricter, you need to know what changed in the HIPAA Security Rule itself. On January 1, 2024, CMS implemented the most significant update to HIPAA Security in nearly two decades.

The three major changes:

Encryption becomes mandatory, not addressable: HIPAA’s old framework categorized certain safeguards as “addressable,” meaning you could implement an alternative if encryption was too expensive or technically burdensome. That’s gone. Encryption of data at rest and in transit is now non-negotiable, except in documented, extremely limited circumstances with business justification and compensating controls.
Multifactor Authentication (MFA) is mandated: All access to patient health information systems must use MFA. No more simple password-based authentication for clinical or administrative staff accessing electronic protected health information (ePHI). This applies to on-premises and cloud systems.
24-hour Business Associate breach notification: Formerly, BA breach notifications could happen within a “reasonable” timeframe. Now, CMS requires notification within 24 hours of discovery. This doesn’t mean you need to notify patients within 24 hours (that’s still 60 days), but your BA must alert you immediately.

These changes directly reshape what a valid SRA must cover. When you’re analyzing security risks in 2025-2026, you’re not assessing whether encryption “might be nice to have”âyou’re documenting your implementation plan for mandatory encryption. Similarly, if your SRA from 2023 identified weak password policies as a medium-risk finding, that’s now a high-risk deficiency requiring urgent remediation and documented action.

The MIPS implication: A Security Risk Analysis that was compliant in 2024 may not meet the 2026 standard if it doesn’t align with the new HIPAA mandates. CMS will cross-reference your SRA against the updated Security Rule to validate that your risk assessment accounts for encryption requirements, MFA mandates, and breach notification timelines. Auditors are explicitly looking for evidence that you’ve planned, budgeted, and begun implementing these mandatory safeguards.

For compliance officers: This is where many organizations stumble. You might have a solid SRA, but if it was written before January 2024, it probably doesn’t reflect the new HIPAA landscape. Updating your SRA to account for mandatory encryption, MFA, and BA notification requirementsâand showing auditors your remediation timelineâis essential for 2026 attestation credibility.

CMS Audit Validation Process

Understanding how CMS validates SRAs during MIPS audits will help you structure your documentation defensively. CMS uses a three-tier approach for SRA validation.

Tier 1: Documentation Completeness Review

CMS auditors first verify that your SRA exists, is dated within the relevant performance period (typically the prior year), and covers all required domains. They’re asking: “Is there an SRA? Does it address the NIST Cybersecurity Framework categories? Are risks ranked by severity?” Your SRA must be comprehensive and aligned with the HIPAA Security Risk Analysis standards. Auditors will compare it against the SAFER Guides to ensure all relevant safeguards are evaluated.

What evidence they want: A formal SRA report (not just notes), signed by a qualified individual or vendor, with an executive summary, methodology, risk findings ranked by severity, and a risk response matrix. If you had an external vendor conduct the SRA, you need the full report, the vendor’s credentials, and any follow-up documentation from your team.

Tier 2: Risk Response Validation

Auditors then examine whether medium- and high-risk findings were addressed. They’re asking: “Did the organization respond to these risks?” For each finding, they expect to see either:

Evidence of remediation (new policy, implemented tool, training completion, etc.)
A documented timeline with budget allocation and assigned ownership for remediation
A risk acceptance decision signed by executive leadership, including business justification for accepting the risk

This is where the “risk management attestation” requirement becomes concrete. If your SRA identified “weak password policies” as a high-risk finding, auditors want to see either (a) evidence that you’ve implemented a modern identity and access management tool, or (b) a board-approved decision explaining why you’re accepting that risk and what compensating controls you’ve deployed.

Tier 3: Implementation and Timeline Review

Finally, auditors assess whether your organization is on track to implement planned remediation. They understand that some security improvements take time, but they expect a realistic, resourced timeline with clear ownership. Red flags include:

Risk findings flagged for remediation but no timeline documented (appears to be ignored)
Unrealistic timelines (e.g., “We’ll encrypt all data next month”)
No budget or resource allocation mentioned in the remediation plan
Findings remediated in 2025 for a 2024 performance period SRA, with no contemporary evidence of decision-making

How audits work: CMS typically selects a sample of clinicians and administrative staff for verification interviews. They may ask, “Are you using multifactor authentication?” or “Can you describe your organization’s password policy?” If staff responses don’t align with your SRA and remediation documentation, that’s an audit finding. Similarly, they may request access logs or security configuration screenshots to verify claims in your SRA about implemented safeguards.

Pro tip: Many audit findings stem from a disconnect between what the SRA says you’ll do and what staff actually know or practice. During remediation planning, build in a training and communication component so that employees understand the changes your SRA drove. This alignment is often the difference between passing and failing an audit.

Documentation Checklist for MIPS SRA Attestation

To pass 2026 MIPS audits, your SRA documentation package must include the following. Use this as a preparation checklist:

Core SRA Document (Required)

SRA report dated 2025 or early 2026, conducted by a qualified vendor or internal security officer
Executive summary with risk assessment methodology
Complete asset inventory (systems, devices, software, data flows)
Threat and vulnerability assessment covering all NIST Cybersecurity Framework categories
Risk ranking matrix (high, medium, low, with rationale for each)
Alignment with SAFER Guides (2024 edition) and updated HIPAA Security Rule
Signature/sign-off from the individual or entity responsible for the SRA

Risk Response Documentation (Critical for Audit Defense)

Risk response matrix: For each high or medium risk, document one of the following: (a) Remediation plan with timeline and owner, (b) Risk acceptance decision signed by executive leadership with business justification, or (c) Evidence of completed remediation
Implementation timelines with realistic dates and responsible parties (e.g., “Chief Information Officer will deploy MFA to all clinical workstations by Q3 2026”)
Budget allocation or resource assignment (shows that remediation is resourced, not just planned)
Evidence of implementation (policy documents dated post-SRA, screenshots of new system configurations, training completion records)

Governance and Board Documentation

Board or executive committee meeting minutes mentioning the SRA and risk response strategy (demonstrates executive awareness and commitment)
Delegated authority documentation (who in your organization is responsible for SRA oversight and remediation)
If you accepted a risk, board minutes or a formal risk acceptance memo from the Chief Risk Officer or equivalent

Vendor / Third-Party Documentation (If Applicable)

SRA vendor’s credentials and qualifications (certifications, experience, relevant expertise)
Statement of Work (SOW) showing the SRA scope and methodology
Any follow-up correspondence with the vendor (e.g., clarifications, additional findings, update in light of new HIPAA rules)
Business Associate Agreement (BAA) with the SRA vendor if they’re handling ePHI

Remediation Evidence (For Implemented Changes)

Screenshots or configuration reports showing new security controls (e.g., MFA settings, encryption status)
Training records proving staff completed security awareness on the changes
Policy document updates with effective dates
Access logs or audit trails demonstrating the use of new controls

2026-Specific Items (New for 2026 Attestation)

Documentation that your SRA addresses mandatory encryption requirements from the updated HIPAA Security Rule
Evidence of MFA implementation or a documented remediation plan with timeline
Business Associate breach notification procedures updated for the 24-hour requirement
Alignment statement: A simple memo from your Compliance Officer stating that your SRA reflects the January 2024 HIPAA Security Rule updates and the 2024 SAFER Guides

The HIPAA Compliance Checklist 2026 provides an additional framework for cross-checking your documentation against regulatory requirements.

Limited Time: 2026 SRA Readiness Assessments

Organizations that update their SRA before June 30, 2026 receive a complimentary audit readiness review. Medcurity’s team identifies gaps in your documentation and helps you build an audit-defensible risk response plan. Start your SRA readiness assessment today.

2026 Timeline and Critical Dates

Timing is everything in MIPS compliance. Here’s what you’re working with for 2026:

Milestone	Date	What You Need to Do
2026 QPP Performance Period Begins	January 1, 2026	Ensure your SRA is current and risk response actions are underway
SRA Completion Deadline (Recommended)	March 31, 2026	Complete or update your 2026 SRA; begin risk response documentation
Risk Response Planning Deadline	May 31, 2026	Board approval of risk response strategy; assign ownership and timelines
2026 MIPS Attestation Opens	January 31, 2027	Submit your MIPS data including SRA attestation through CMS portal
MIPS Attestation Deadline	March 31, 2027	All 2026 MIPS data and SRA attestation must be submitted
Payment Adjustment Year	January 1, 2028	Medicare payments reflect your 2026 MIPS performance; adjustments appear
CMS Audit Window Opens	Mid-2027 onward	CMS begins selecting 2026 attestations for audit; documentation must be audit-ready

Critical insight: You have roughly ten months (JanuaryâOctober 2026) to conduct or update your SRA and get board buy-in on your risk response strategy. Don’t wait until 2027. CMS auditors are aggressive in their 2026 sampling, and a hastily prepared attestation will invite scrutiny.

Many organizations procrastinate and submit their attestation in March 2027 with an incomplete SRA or vague risk response plans. By then, it’s too late to gather additional evidence. Conduct your SRA by March 2026, finalize your risk response strategy by May 2026, and use the rest of the year to execute on your remediation plans. This gives you evidence to show auditors that you took the SRA seriously and acted on its findings.

Common Audit Findings and Prevention Strategies

CMS audit data from 2024 and early 2025 reveals patterns in what triggers MIPS SRA audit findings. Here are the most frequent issues and how to avoid them:

Finding #1: SRA Too Old or Outdated

Pattern: Organization submitted an attestation in 2025 or 2026 based on an SRA conducted in 2022 or early 2023. Auditors found that the SRA didn’t address the January 2024 HIPAA Security Rule updates or current SAFER Guides.

Prevention: Conduct a new SRA every two years at minimum. For 2026 attestation, your SRA should be dated 2025 or early 2026. If you’re using an older SRA, include a supplemental memo updating your findings in light of the new HIPAA rules and SAFER Guides. Better yet, commission a fresh SRA. The cost (typically $3,000â$8,000 depending on organization size) is negligible compared to the risk of payment adjustments from an audit failure.

Finding #2: No Risk Response Documentation

Pattern: Organization had an SRA, but no documented plan for addressing the risks it identified. When auditors asked, “What did you do with this finding?” the organization had no answer beyond “we’re aware of it.”

Prevention: Create a risk response matrix immediately after receiving your SRA. For each high-risk and medium-risk finding, document one of the following: remediation with timeline, risk acceptance with board approval, or evidence of completed action. File this matrix in your MIPS documentation folder. Update it quarterly to show progress.

Finding #3: Staff Don’t Know About Security Changes

Pattern: SRA recommended MFA implementation, and the organization deployed MFA. But during audit interviews, clinical staff said they were unaware of the requirement and had difficulty articulating the policy behind it.

Prevention: When your SRA drives a security change, build in a communication and training phase. Send organization-wide emails explaining the change and why it matters. Hold brief training sessions. Maintain training completion records. Document this in your MIPS package. Auditors will ask staff about security policies, and if staff can coherently explain them, you’re in a much stronger position.

Finding #4: Unrealistic or Unsupported Remediation Timelines

Pattern: Risk response plan stated, “We will encrypt all data by December 2026,” but there was no budget allocation, vendor selection in progress, or interim milestones. It looked like a placeholder rather than a real plan.

Prevention: Remediation timelines must be realistic and supported. Include: (a) interim milestones (e.g., “Vendor selection by Q2, pilot deployment in Q3, full rollout by Q4 2026”), (b) assigned ownership (name and title), and (c) budget approval or allocation. This shows auditors that your plan is serious and resourced.

Finding #5: Conflicting Documentation

Pattern: SRA stated that the organization has a “strong password policy requiring 12-character minimum passwords,” but when auditors reviewed the actual password policy document, it was last updated in 2019 and required only 8 characters.

Prevention: Before submitting your SRA, verify that it reflects your current practices and policies. If it identifies a gap (e.g., weak passwords), make sure your remediation plan updates the policy document. Don’t just change the technical setting; update the written policy and date it. Keep both the SRA and the updated policy in your MIPS documentation package. Consistency is credibility.

Finding #6: No Business Associate (BA) Oversight in SRA

Pattern: Organization conducted an SRA of its own systems but didn’t assess the security practices of vendors, cloud providers, or IT contractors who access ePHI. The SRA was silent on third-party risk.

Prevention: Your SRA must include an assessment of third-party risks. Do you have BAAs in place? Have you conducted vendor risk assessments? Have you verified that your vendors comply with the updated HIPAA Security Rule (especially encryption and MFA)? The new 24-hour BA breach notification requirement is part of this. Document that you’ve verified BA security practices. If you haven’t, add this to your risk response plan.

For more detail on third-party risk management as it relates to your SRA, see the MACRA, MIPS, and the Security Risk Analysis resource.

Frequently Asked Questions

Does a Security Risk Analysis satisfy all of my MIPS requirements?

No. This is the most critical misconception. A Security Risk Analysis is one measure within the Promoting Interoperability category. MIPS is divided into four domains: Quality (30%), Cost (30%), Promoting Interoperability (25%), and Improvement Activities (15%). Within Promoting Interoperability, there are multiple measures; an SRA satisfies only one. You still need to report on other PI measures (e.g., E-Prescribing, Health Information Exchange) and comply with the Quality, Cost, and Improvement Activities categories. An SRA is a building block of your overall MIPS strategy, not a complete solution.

What if I can’t complete my SRA by March 31, 2026? Can I delay?

Technically, you can submit your attestation in March 2027 with any SRA dated in 2026 or late 2025. But delaying creates risk. If you’re audited and your SRA is dated in early 2027, CMS may argue it’s too recent to be representative of your 2026 performance period practices. Additionally, you’ll have less time to gather evidence of risk response implementation. The safest approach is to conduct your SRA by March 2026 and use the remaining nine months of the performance period to implement risk management actions and gather documentation. This demonstrates good-faith compliance.

We use a third-party IT vendor for all our infrastructure. Who is responsible for the SRA?

You are. As a MIPS-eligible entity, you’re accountable for your MIPS compliance, including the SRA. Your vendor may conduct the SRA on your behalf or provide input into it, but you must oversee the process, validate the findings, and document risk response decisions. Your vendor’s SRA report must cover systems and data within your legal control, including cloud infrastructure if you’re storing patient data there. Ensure your Business Associate Agreement (BAA) with the vendor includes language about SRA responsibilities and access to findings. Document vendor credentials and qualifications. When auditors ask, “Who conducted your SRA?” you need a clear answer with evidence of oversight.

How often do I need to update my SRA?

Best practice is every 24 months. Given the January 2024 HIPAA Security Rule updates and the 2024 SAFER Guides refresh, any SRA conducted before January 2024 should be updated before you attest to 2026 MIPS compliance. For 2027 and beyond, if your organization hasn’t experienced significant infrastructure changes or new threat intelligence, a two-year cycle is acceptable. However, if you make major IT changes (new EHR, new data storage platform, significant staff turnover in security roles), conduct an interim SRA to ensure your risk assessment remains accurate. Some organizations do annual reviews of the SRA with external audits every two yearsâa reasonable middle ground.

What’s Medcurity’s role in MIPS SRA compliance?

Medcurity helps healthcare organizations and compliance officers conduct Security Risk Analyses aligned with NIST frameworks, HIPAA regulations, and CMS standards. We offer SRA services starting at $499/year for smaller practices and conduct comprehensive assessments for larger health systems. Our advisors specialize in translating SRA findings into MIPS-compliant risk response documentation and have helped over 1,000 organizations achieve audit-ready SRA documentation. We also provide ongoing HIPAA compliance solutions and risk analysis tools to keep your SRA current as regulations evolve.

Get Your SRA Audit-Ready Today

Don’t let compliance gaps derail your 2026 MIPS performance. Medcurity’s advisors will review your current SRA, identify 2026 attestation gaps, and help you build defensible risk response documentation. Schedule a consultation to discuss your organization’s specific compliance needs.

Explore Medcurity Solutions

Key Takeaways

The 2026 QPP final rule mandates risk management attestation: You must document not just that you conducted an SRA, but that you acted on its findings.
The January 2024 HIPAA Security Rule updates (mandatory encryption, MFA, 24-hour BA breach notification) directly reshape what qualifies as a valid 2026 SRA.
CMS auditors validate SRAs through three tiers: documentation completeness, risk response evidence, and implementation timeline credibility.
A Security Risk Analysis is ONE measure within the Promoting Interoperability category, which is 25% of your total MIPS score. An SRA does not satisfy all MIPS requirements; it’s one component of a larger compliance strategy.
Your documentation package must include the SRA report, risk response matrix, board-level approval, and evidence of implementation for a robust audit defense.
Complete your 2026 SRA by March 31, 2026, and finalize your risk response strategy by May 31, 2026, to allow time for evidence gathering before the March 2027 attestation deadline.
Common audit findings stem from outdated SRAs, missing risk response documentation, staff misalignment on security policies, and unrealistic remediation timelines. Avoid these through proactive planning and communication.
If your current SRA was conducted before January 2024, update it to reflect the new HIPAA Security Rule requirements and 2024 SAFER Guides before 2026 attestation.

Next Steps

Your 2026 MIPS SRA compliance journey starts now. Here’s what to do immediately:

Audit your current SRA: Review the SRA you’re working with. If it’s older than 18 months or was conducted before January 2024, prioritize an update.
Align with the updated HIPAA Security Rule: Verify that your SRA addresses mandatory encryption, MFA, and the new BA breach notification timeline. If it doesn’t, document a supplemental memo or commission a refresh.
Create your risk response matrix: For each finding in your SRA, document what your organization will do: remediate, accept (with board approval), or escalate.
Build your documentation package: Start gathering the items on the checklist above. Organize them in a single MIPS folder for easy audit retrieval.
Get board sign-off: Present your SRA findings and risk response strategy to your board or executive committee. Document their approval. This is now a requirement for credible 2026 attestation.
Communicate with staff: As your organization implements security changes from the SRA, train staff and maintain training records. This protects you during auditor interviews.
Consider professional support: If you’re unsure about your SRA’s alignment with 2026 standards or need help building audit-defensible documentation, consult with a HIPAA compliance advisor or consider working with a specialized SRA provider.

The 2026 MIPS landscape is more rigorous, but it’s also clearer. CMS has spelled out exactly what they expect: a current, evidence-based SRA supported by documented risk management actions. Meet those expectations, and you’ll pass audits with confidence. Delay or half-step the process, and you risk payment adjustments and compliance penalties. The choice is yoursâbut the time to act is now.