![](/img/client_headers/OberKaler/Health-Law-Alert.jpg)
As noted in Paul Kim and Hannah Whitman Clark's article regarding HIPAA Security Risk Analyses, CEs and BAs are required to review and update their risk assessments only under certain conditions after completing their initial SRAs. However, for purposes of compliance with the Medicare & Medicaid EHR Incentive Program, eligible hospitals and professionals participating in the MU Program must review and update the risk assessments of their CEHRT each federal fiscal year or calendar year, respectively, per CMS's Tipsheet [PDF].