Protect Patient Health Information
Security Risk Analysis
Definition of Terms
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
- Required for Promoting Interoperability Performance Category Score: Yes
- Score: N/A
- Eligible for Bonus Score: No
Note: In order to earn a score greater than zero for the Promoting Interoperability performance category, MIPS eligible clinicians must:
- Submit a “yes” to the Prevention of Information Blocking Attestations; and
- Submit a “yes” to the ONC Direct Review Attestation, if applicable; and
- Submit a “yes” that they have completed the Security Risk Analysis measure during the calendar year in which the MIPS performance period occurs; and
- Report the required measures from each of the four objectives.
- In 2021, MIPS eligible clinicians may use certified technology meeting the existing 2015 Edition certification criteria, updated to the 2015 Edition Cures Update, or a combination of the two, to meet the CEHRT definition. (85 FR 84472)
- To learn more about the 2015 Edition Cures Update and the changes to 2015 Edition certification criteria finalized in the 21st Century Cures Act final rule (85 FR 25642), we encourage MIPS eligible clinicians to visit https://www.healthit.gov/curesrule/final-rulepolicy/2015-edition-cures-update.
- To check whether a health IT product has been certified to criteria updated for the 2015 Edition Cures Update, visit the Certified Health IT Product List (CHPL) at https://chpl.healthit.gov/.
- 2015 Edition or 2015 Edition Cures Update functionality must be used as needed for a measure action to count in the numerator during a performance period. However, in some situations the product may be deployed during the performance period but pending certification. In such cases, the product must be certified to the 2015 Edition or the 2015 Edition Cures Update by the last day of the performance period.
- Failure to complete the required actions for the Security Risk Analysis will result in no score for the Promoting Interoperability performance category, regardless of whether other measures in this category are reported.
- The Security Risk Analysis measure is not scored and does not contribute any points to the MIPS eligible clinician’s total score.
- More information about Promoting Interoperability performance category scoring is available on the QPP website.
- It is acceptable for the security risk analysis to be conducted or reviewed outside the performance period; however, the analysis must be unique for each performance period, the scope must include the full MIPS performance period, and it must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).
- An analysis must be conducted when 2015 Edition CEHRT is implemented.
- An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each MIPS performance period. Any security updates and deficiencies that are identified should be included in the clinician's risk management process and implemented or corrected as dictated by that process.
- The security risk analysis requirement under 45 CFR 164.308(a)(1) must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
- At a minimum, MIPS eligible clinicians should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
- The parameters of the security risk analysis are defined at 45 CFR 164.308(a)(1), which was created by the HIPAA Security Rule. MIPS does not impose new or expanded requirements on the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in certification of EHR technology. More information on the HIPAA Security Rule can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
- HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-riskanalysis/index.html.
- Additional free tools and resources available to assist providers include a Security Risk Assessment (SRA) Tool developed by ONC and OCR: https://www.healthit.gov/topic/privacysecurity-and-hipaa/security-risk-assessment-tool.
- For further discussion, please see the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) final rule: 81 FR 77227.
- For additional discussion, please see the 2018 Physician Fee Schedule final rule – Quality Payment Program final rule: 83 FR 59790.
- A security risk analysis should include review of the appropriate implementation of the capabilities and standards specific to each certification criterion.
Certification Standards and Criteria
Below are the corresponding certification criteria for electronic health record technology that support this measure.
The requirements are a part of CEHRT specific to each certification criterion.