Protect Patient Health Information
Security Risk Analysis
Definition of Terms
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Required for Promoting Interoperability Performance Category Score: Yes
Eligible for Bonus Score: No
Note: MIPS eligible clinicians must:
- Submit a “yes” to the Prevention of Information Blocking Attestations
- Submit a “yes” to the ONC Direct Review Attestation, if applicable
- Submit a “yes” that they have completed the Security Risk Analysis measure during the calendar year in which the MIPS performance period occurs
- Must report the require measures from each of the four objectives in order to earn a score greater than zero for the Promoting Interoperability performance category
- MIPS eligible clinicians must use EHR technology certified to the 2015 Edition certification criteria to support the Promoting Interoperability performance category objectives and measures.
- Failure to complete the required actions for the Security Risk Analysis will result in no score for the Promoting Interoperability performance category, regardless of whether other measures in this category are reported.
- The Security Risk Analysis measure is not scored and does not contribute any points to the MIPS eligible clinician’s total score.
- More information about Promoting Interoperability performance category scoring is available on the QPP website.
- It is acceptable for the security risk analysis to be conducted or reviewed outside the performance period; however, the analysis must be unique for each performance period, the scope must include the full MIPS performance period, and it must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).
- An analysis must be conducted when 2015 Edition CEHRT is implemented.
- An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each MIPS performance period. Any security updates and deficiencies that are identified should be included in the clinician's risk management process and implemented or corrected as dictated by that process.
- The security risk analysis requirement under 45 CFR 164.308(a)(1) must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
- At a minimum, MIPS eligible clinicians should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
- The parameters of the security risk analysis are defined at 45 CFR 164.308(a)(1), which was created by the HIPAA Security Rule. MIPS does not impose new or expanded requirements on the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in certification of EHR technology. More information on the HIPAA Security Rule can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
- HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-riskanalysis/index.html.
- Additional free tools and resources available to assist providers include a Security Risk Assessment (SRA) Tool developed by ONC and OCR: https://www.healthit.gov/topic/privacysecurity-and-hipaa/security-risk-assessment-tool.
- When MIPS eligible clinicians choose to report as a group, data should be aggregated for all MIPS eligible clinicians under one Taxpayer Identification Number (TIN). This includes those MIPS eligible clinicians who may qualify for reweighting such as a significant hardship exception, hospital or ASC-based status, or in a specialty which is not required to report data to the Promoting Interoperability performance category. If these MIPS eligible clinicians choose to report as a part of a group practice, they will be scored on the Promoting Interoperability performance category like all other MIPS eligible clinicians.
For further discussion, please see the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) final rule: 81 FR 77227.
For additional discussion, please see the 2018 Physician Fee Schedule final rule – Quality Payment Program final rule: 83 FR 59790.
In order to meet this objective and measure, MIPS eligible clinicians must use the capabilities and standards of CEHRT at 45 CFR 170.315 (d)(1) through (d)(9).
Certification Standards and Criteria
Below is the corresponding certification and standards criteria for electronic health record technology that supports this measure.
Information about certification for 2015 Edition CEHRT can be found at the links below:
§170.315(d)(1) Authentication, access control, and authorization
§170.315(d)(2) Auditable events and tamper- resistance
§170.315(d)(3) Audit report(s)
§170.315(d)(5) Automatic access time-out
§170.315(d)(6) Emergency access
§170.315(d)(7) End-user device encryption
§170.315(d)(9) Trusted Connection
Standards for 2015 Edition CEHRT can be found at the ONC’s 2015 Standards Hub: