Under the Merit-Based Incentive Payment System (MIPS) pathway of the MACRA Quality Payment Program, Promoting Interoperability (PI) is one of the four performance categories that will be considered and weighted for scoring an eligible clinician’s performance under MIPS.
In 2018, there are 2 measure set options for submission depending on the Certified EHR Technology (CEHRT) edition a clinician is using:
Promoting Interoperability Measures
Promoting Interoperability (PI) Transition Measures
Depending on the CEHRT Edition, there will be different objectives from which the MIPS eligible clinician may choose to report. This article outlines the measure details and specifications for the 2018 PI Transition Measure: Security Risk Analysis.
PI Transition Measures
Protect Patient Health Information
Security Risk Analysis
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.
YES/NO: To meet this measure, eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
ONC Security Risk Analysis (SRA) Tool
In collaboration with the HHS Office for Civil Rights, the Office of the National Coordinator for Health IT (ONC) released a tool to help practices conduct and document a comprehensive assessment to identify risks in their organizations. The Security Risk Analysis tool also produces a report that can be useful for audits.
Since your practice is unique and you know your practice best, you are ultimately responsible for adopting and implementing security and privacy measures that are appropriate and reasonable for your practice's needs and capabilities.
For additional support, you should consult with a qualified professional who can use his or her expertise to help mitigate potential risks, identify potential areas for improving security, and train your staff. CMS published a Security Risk Analysis Tip Sheet specific to the EHR Incentive Program, but it may be helpful if your practice did not complete this requirement prior to participating in MIPS. Please reach out to CMS directly to understand how the information in the Security Risk Analysis tip sheet should be applied by eligible clinicians participating in MIPS.
Make sure to keep any documentation you use for your records to prove you have completed this measure during your reporting year. It is acceptable for the security risk analysis to be conducted outside the selected MIPS performance period, however, the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and the analysis must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).
Review the CMS specifications for more information about the Advancing Care Information Transitional measures.
For more information on the Merit-based Incentive Payment System (MIPS) program, you can visit Practice Fusion’s Quality Payment Program Center.
- CMS also provides further resources about the Quality Payment Program here.