Federal scrutiny of physician privacy and security practices is on the rise.  The Department of Health and Human Services’ Office of Civil Rights (OCR) is currently auditing covered entities – including small physician practices – for compliance with HIPAA, including the Security Rule and its requirement to conduct a security risk analysis (SRA).  At the same time, the Centers for Medicare and Medicaid Services (CMS) and its contractor, Figliozzi & Co., is auditing physicians and practices that have participated in the Meaningful Use program.  More than half of those who participated in 2013 are reported to have failed to meet the requirements to successfully report under Meaningful Use.  Similarly, after conducting a pilot audit program in 2011, the OCR found that 47 out of 59 providers audited had no complete SRA, and 58 out of 59 had at least one problem with HIPAA security compliance.  The SRA represents the keystone for a practice’s entire approach to ensuring the security of electronic protected health information and complying with HIPAA.  If your practice hasn’t conducted an SRA, or you are unsure about whether you have, it’s time to start paying attention.   Under the Meaningful Use program, failure to conduct a SRA or meet any of the other Meaningful Use requirements means the participant must return its entire incentive payment, and may subject the participant to a 1% payment reduction for all Medicare payments.  Likewise, failure to comply with Security Rule requirements – many of which require that a SRA have been conducted, may result in the imposition of fines and require a physician to enter into a resolution agreement with the OCR.  Dan Shay explores these issues, and offers practical guidance on how to comply with these requirements, in his chapter for the 2015 HEALTH LAW HANDBOOK, “HIPAA and Meaningful Use Audits and The Security Risk Analysis Nexus.