Protect Patient Health Information
Security Risk Analysis
Definition of Terms
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
- Required for Promoting Interoperability Performance Category Score: Yes
- Score: N/A
- Eligible for Bonus Score: No
Note: In order to earn a score greater than zero for the Promoting Interoperability performance category, MIPS eligible clinicians must:
- Complete the activities required by the Security Risk Analysis and High Priority Practices SAFER Guide1 , submit their complete numerator and denominator or Yes/No data for all required measures, and attest to the Actions to limit or restrict compatibility or interoperability of CEHRT statement.
- Failure to report at least a “1” in all required measures with a numerator or reporting a “No” for a Yes/No response measure (except for the SAFER Guides measure2 ) will result in a total score of 0 points for the Promoting Interoperability performance category.
- In 2022, MIPS eligible clinicians may use certified technology meeting the existing 2015 Edition certification criteria, updated to the 2015 Edition Cures Update, or a combination of the two, to meet the CEHRT definition. (85 FR 84472)
- To learn more about the 2015 Edition Cures Update and the changes to 2015 Edition certification criteria finalized in the 21st Century Cures Act final rule (85 FR 25642), we encourage MIPS eligible clinicians to visit https://www.healthit.gov/curesrule/final-rulepolicy/2015-edition-cures-update.
- To check whether a health IT product has been certified to criteria updated for the 2015 Edition Cures Update, visit the Certified Health IT Product List (CHPL) at https://chpl.healthit.gov/.
- 2015 Edition or 2015 Edition Cures Update functionality must be used as needed for a measure action to count in the numerator during a performance period. However, in some situations the product may be deployed during the performance period, but pending certification. In such cases, the product must be certified to the 2015 Edition or the 2015 Edition Cures Update by the last day of the performance period.
- Failure to complete the required actions for the Security Risk Analysis will result in no score for the Promoting Interoperability performance category, regardless of whether other measures in this category are reported. • The Security Risk Analysis measure is not scored and does not contribute any points to the MIPS eligible clinician’s total score.
- It is acceptable for the security risk analysis to be conducted or reviewed outside the performance period; however, the analysis must be unique for each performance period, the scope must include the full performance period, and it must be conducted within the calendar year of the performance period (January 1st – December 31st).
- An analysis must be conducted when 2015 Edition CEHRT is implemented.
- An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each performance period. Any security updates and deficiencies that are identified should be included in the clinician's risk management process and implemented or corrected as dictated by that process.
- The security risk analysis requirement under 45 CFR 164.308(a)(1) must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
- At a minimum, MIPS eligible clinicians should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
- The parameters of the security risk analysis are defined at 45 CFR 164.308(a)(1), which was created by the HIPAA Security Rule. MIPS does not impose new or expanded requirements on the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in certification of EHR technology. More information on the HIPAA Security Rule can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
- HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-riskanalysis/index.html.
- Additional free tools and resources available to assist providers include a Security Risk Assessment (SRA) Tool developed by ONC and OCR: https://www.healthit.gov/topic/privacysecurity-and-hipaa/security-risk-assessment-tool.
- For further discussion, please see the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) final rule: 81 FR 77227.
- For additional discussion, please see the 2018 Physician Fee Schedule final rule – Quality Payment Program final rule: 83 FR 59790.
- A security risk analysis should include review of the appropriate implementation of the capabilities and standards specific to each certification criterion.
Certification Standards and Criteria
Below are the corresponding certification criteria for electronic health record technology that support this measure.
The requirements are a part of CEHRT specific to each certification criterion.
1 The SAFER, or Safety Assurance Factors for EHR Resilience, Guides measure was added in the CY 2022 Physician Fee Schedule Final Rule but will not affect Promoting Interoperability performance category participants’ scores in 2022.
2 In 2022, eligible clinicians will be required to submit one “yes/no” attestation statement for completing an annual self-assessment of the High Priority Practices SAFER Guide, but the “yes” or “no” attestation response will not affect the Promoting Interoperability performance category score.