Provide Patients Electronic Access to Their Health Information | MIPS PI Measures for 2023 Reporting


Provider to Patient Exchange

Measure:Provide Patients Electronic Access to Their Health Information
For at least one unique patient seen by the MIPS eligible clinician: (1) The patient (or the patient-authorized representative) is provided timely access to view online, download, and transmit his or her health information; and (2) The MIPS eligible clinician ensures the patient's health information is available for the patient (or patient-authorized representative) to access using any application of their choice that is configured to meet the technical specifications of the Application Programming Interface (API) in the MIPS eligible clinician's certified electronic health record technology (CEHRT).
Measure ID:


PDF link:

Provide Patients Electronic Access to Their Health Information

Definition of Terms

API or Application Programming Interface: 
A set of programming protocols established for multiple purposes. APIs may be enabled by a health care provider or provider organization to provide the patient with access to their health information through a third-party application with  more flexibility than is often found in many current “patient portals.”

Provide Access:
When a patient possesses all of the necessary information needed to view, download, or transmit their information. This could include providing patients with instructions on how to access their health information, the website address they must visit for online access, a unique and registered username or password, instructions on how to create a login, or any other instructions, tools, or materials that patients need in order to view, download, or transmit their information.

Timely Access:
We define “timely” as within 4 business days of the information being available to the MIPS eligible clinician.

Unique Patient:
If a patient is seen by a MIPS eligible clinician more than once during the performance period, then, for purposes of measurement, that patient is only counted once in the denominator for the measure. All the measures relying on the term ‘‘unique patient’’ relate to what is contained in the patient’s medical record. Not all of this information will need to be updated or even be needed by the clinician at every patient encounter. This is especially true for patients whose encounter frequency is such that they would see the same clinician multiple times in the same performance period.


Reporting Requirements

The number of patients in the denominator (or patient authorized representative) who are provided timely access to health information to view online, download, and transmit to a third party and to access using an application of their choice that is configured to meet the technical specifications of the API in the MIPS eligible clinician's CEHRT.

The number of unique patients seen by the MIPS eligible clinician during the performance period..


Scoring Information

  • Required for Promoting Interoperability Performance Category Score: Yes
  • Measure Score: 25 points
  • Eligible for Bonus Score: No

Note: In order to earn a score greater than zero for the Promoting Interoperability performance category, MIPS eligible clinicians must:

  • Complete the Security Risk Analysis measure
  • Review the High Priority Practices SAFER Guide1
  • Complete the ONC Direct Review attestation
  • Attest to the Actions to limit or restrict compatibility or interoperability of CEHRT statement
  • Submit their complete numerator and denominator or Yes/No data for all required measures.
  • Submit their CMS certification identification number
  • Submit their level of active engagement for the Public Health and Clinical Data Exchange measures
  • Failure to report at least a “1” in all required measures with a numerator or reporting a “No” for a Yes/No response measure (except for the SAFER Guides measure2 ) will result in a total score of 0 points for the Promoting Interoperability performance category. 

Additional Information

  • In 2023, MIPS eligible clinicians may use technology certified to the 2015 Edition of health IT certification criteria and updated to the 2015 Edition Cures Update to meet the CEHRT definition. (85 FR 84472)
  • To learn more about the 2015 Edition Cures Update and the changes to 2015 Edition certification criteria finalized in the 21st Century Cures Act final rule (85 FR 25642), we encourage MIPS eligible clinicians to visit
  • To check whether a health IT product has been certified to criteria updated for the 2015 Edition Cures Update, visit the Certified Health IT Product List (CHPL) at
  • Certified functionality must be used as needed for a measure action to count in the numerator during a performance period. However, in some situations the product may be deployed during the performance period, but pending certification. In such cases, the product must be certified by the last day of the performance period.
  • Actions included in the numerator must occur within the performance period.
  • To implement an API, the MIPS eligible clinician would need to fully enable the API functionality such that any application chosen by a patient would enable the patient to gain access to their individual health information provided that the application is configured to meet the technical specifications of the API. MIPS eligible clinicians may not prohibit patients from using any application, including third-party applications, which meet the technical specifications of the API, including the security requirements of the API. MIPS eligible clinicians are expected to provide patients with detailed instructions on how to authenticate their access through the API and provide the patient with supplemental information on available applications that leverage the API.
  • Similar to how MIPS eligible clinicians support patient access to view, download and transmit (VDT) capabilities, MIPS eligible clinicians should continue to have identity verification processes to ensure that a patient using an application, which is leveraging the API, is provided access to their health information.
  • In circumstances where there is no information available to populate one or more of the fields previously listed, either because the MIPS eligible clinicians can be excluded from recording such information or because there is no information to record (for example, no medication allergies or laboratory tests), the MIPS eligible clinician may have an indication that the information is not available and still meet the objective and its associated measure.
  • The patient must be able to access this information on demand, such as through a patient portal or personal health record (PHR) or by other online electronic means. We note that while a covered entity may be able to fully satisfy a patient's request for information through VDT, the measure does not replace the covered entity's responsibilities to meet the broader requirements under HIPAA to provide an individual, upon request, with access to PHI in a designated record set.
  • MIPS eligible clinicians should also be aware that while the measure is limited to the capabilities of CEHRT to provide online access, there may be patients who cannot access their EHRs electronically because of a disability. MIPS eligible clinicians who are covered by civil rights laws must provide individuals with disabilities equal access to information and appropriate auxiliary aids and services as provided in the applicable statutes and regulations.
  • For the measure, MIPS eligible clinicians must offer all four functionalities (view, download, transmit, and access through API) to their patients. Patient health information needs to be made available to each patient for view, download, and transmit within 4 business days of the information being available to the clinician for each and every time that information is generated whether the patient has been "enrolled" for three months or for three years.
  • A patient who has multiple encounters during the performance period, or even in subsequent performance periods in future years, needs to be provided access for each encounter where they are seen by the MIPS eligible clinician.
  • If a patient elects to "opt out" of participation, that patient must still be included in the denominator.
  • If a patient elects to “opt out” of participation, the MIPS eligible clinician may count that patient in the numerator if the patient is provided all of the necessary information to subsequently access their information, obtain access through a patient-authorized representative, or otherwise opt-back-in without further follow up action required by the clinician.
  • The MIPS eligible clinician must continue to update the information accessible to the patient each time new information is available. 
  • For view, download, and transmit functionality, the required content is:
  • For API functionality the required data set is the USCDI ( 
  • When MIPS eligible clinicians choose to report as a group, data should be aggregated for all MIPS eligible clinicians under one Taxpayer Identification Number (TIN). This includes those MIPS eligible clinicians who may qualify for reweighting through an approved Promoting Interoperability hardship exception, hospital or ASC-based status, or in a specialty which is not required to report data to the Promoting Interoperability performance category. If these MIPS eligible clinicians choose to report as a part of a group practice, they will be scored on the Promoting Interoperability performance category like all other MIPS eligible clinicians. 


Regulatory References

  • For further discussion, please see the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) final rule: 81 FR 77228.
  • For additional discussion, please see the 2018 Physician Fee Schedule final rule – Quality Payment Program final rule: 83 FR 59789.
  • In order to meet this objective and measure, MIPS eligible clinicians must use technology certified to the criteria at 45 CFR 170.315 (e)(1), (g)(7), (8) or (g)(10), and (9).


Certification Standards and Criteria

Information about the corresponding certification criteria for electronic health record technology that support this measure can be found below:

Certification Criteria:
§170.315(e)(1) View, Download, and Transmit to 3rd Party
§170.315(g)(7) Application Access — Patient Selection
§170.315(g)(9) – All Data Request
§ 170.315(g)(10) - Application access — standardized API for patient and population services


1 The SAFER, or Safety Assurance Factors for EHR Resilience, Guides measure was added in the CY 2022 Physician Fee Schedule Final Rule.
2 In 2023, eligible clinicians will be required to submit one “yes/no” attestation statement for completing an annual self-assessment of the High Priority Practices SAFER Guide, and the “yes” or “no” attestation will fulfill the measure.

Register with MDinteractive