MACRA requires quality reporting and a Security Risk Assessment to be considered for participating in the program. Formal documentation that supports SRA is necessary when it comes to patient data. Organizations, both large and small may be liable if they fail to exercise oversight concerning their organization’s cybersecurity risks and if they fail to establish and implement an information and reporting system to ensure compliance with applicable laws.