2017 ACI Transition Measure: Security Risk Analysis

Under the Merit-based Incentive Payment System (MIPS) pathway of the MACRA Quality Payment Program, the Advancing Care Information (ACI) category replaces the Medicare EHR Incentive Program (Meaningful Use). ACI is one of the three performance categories that will be considered and weighted for scoring a clinician’s performance under MIPS (four categories will be included starting in 2018). A clinician’s score for the Security Risk Analysis measure is dependent on the clinician meeting the measure’s base score requirements. For more information on ACI scoring methodology, please click here.

Objective:

Protect Patient Health Information

Measure:

Security Risk Analysis                 
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

Scoring Information:

  • Required for Base Score (50%): Yes
  • Percentage of Performance Score (up to 90%): None
  • No bonus points available

Reporting Requirements

  • YES/NO: To meet this measure, eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

ONC Security Risk Analysis (SRA) Tool
In collaboration with the HHS Office for Civil Rights, the ONC released a tool to help practices conduct and document a comprehensive assessment to identify risks in their organizations. The SRA tool also produces a report that can be useful for audits.

Download the Security Risk Analysis tool >>

Since your practice is unique and you know your practice best, you are ultimately responsible for adopting and implementing security and privacy measures that are appropriate and reasonable for your practice's needs and capabilities.

For additional support, you should consult with a qualified professional who can use his or her expertise to help mitigate potential risks, identify potential areas for improving security, and train your staff. CMS has also created a Security Risk Analysis Tip Sheet to help you understand this requirement.

Make sure to keep any documentation you use for your records to prove you have completed this measure during your reporting year: It is acceptable for the security risk analysis to be conducted outside the selected MIPS performance period, however, the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and the analysis must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).

Data Validation
CMS has published guidance to help providers better understand the documentation they should retain around meeting MIPS requirements. CMS calls this guidance "MIPS Data Validation Criteria" because it describes the types of documentation that would validate the data the provider submits to CMS at the end of the performance period. You can learn more about this by reviewing CMS’ MIPS Data Validation Fact Sheet and you can see the specific documentation guidelines applicable to the ACI Transition Measures in CMS’ MIPS Data Validation Criteria for ACI Transition Measures.

More information

  • Review the CMS specifications for more information about the Advancing Care Information Transitional measures.
  • For more information on the Merit-based Incentive Payment System (MIPS) program, you can visit Practice Fusion’s Quality Payment Program Center.
  • CMS also provides further resources about the Quality Payment Program here.

Quality Payment Program

  1. Quality Payment Program: What is the Merit-Based Incentive Payment System (MIPS)
  2. What is the Advancing Care Information (ACI) Performance Category for MIPS and how is it scored?
  3. 2017 ACI Transition Measure: Security Risk Analysis
  4. 2017 ACI Transition Measure: Electronic Prescribing (eRx)
  5. 2017 ACI Transition Measure: Provide Patient Access
  6. 2017 ACI Transition Measure: Health Information Exchange
  7. 2017 ACI Transition Measure: View, Download, or Transmit (VDT)
  8. 2017 ACI Transition Measure: Patient-Specific Education
  9. 2017 ACI Transition Measure: Secure Messaging
  10. 2017 ACI Transition Measure: Medication Reconciliation
  11. 2017 ACI Transition Measure: Immunization Registry Reporting
  12. 2017 ACI Bonus Measure: Syndromic Surveillance Reporting
  13. 2017 ACI Bonus Measure: Specialized Registry Reporting
  14. What is the Improvement Activities Performance Category for MIPS?
  15. What are the Quality performance category reporting requirements for MIPS?
  16. What is the difference between the two Advancing Care Information measure sets available in 2017?
  17. Advanced APM: What is Comprehensive Primary Care Plus (CPC+)?
  18. Which Improvement Activities Qualify for the Advancing Care Information (ACI) Bonus Score in 2017?
  19. What is the MIPS Dashboard watch list and how do I use it?
  20. How does the MIPS Dashboard work?
  21. How is the MIPS Final Score Calculated?
  22. MIPS for Small, Rural and Underserved Practices
  23. How do I contact CMS about the Quality Payment Program?
  24. What is the Practice Fusion QCDR?
  25. How do I indicate interest in the Practice Fusion QCDR and get my MIPS estimated scores?
  26. Chronic Care Management FAQs

Feedback and Knowledge Base