2018 PI Transition Measure: Security Risk Analysis

← Quality Payment Program

Under the Merit-Based Incentive Payment System (MIPS) pathway of the MACRA Quality Payment Program, Promoting Interoperability (PI) is one of the four performance categories that will be considered and weighted for scoring an eligible clinician’s performance under MIPS.

In 2018, there are 2 measure set options for submission depending on the Certified EHR Technology (CEHRT) edition a clinician is using:

  • Promoting Interoperability Measures

  • Promoting Interoperability (PI) Transition Measures

Depending on the CEHRT Edition, there will be different objectives from which the MIPS eligible clinician may choose to report. This article outlines the measure details and specifications for the 2018 PI Transition Measure: Security Risk Analysis.

Measure Set

PI Transition Measures

Objective:

Protect Patient Health Information

Measure:

Security Risk Analysis                  

Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

Scoring Information:

  • Required for Base Score: Yes

  • Percentage of Performance Score: N/A

  • Eligible for Bonus Score: No

Measure Requirements

  • YES/NO: To meet this measure, eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

ONC Security Risk Analysis (SRA) Tool

In collaboration with the HHS Office for Civil Rights, the Office of the National Coordinator for Health IT (ONC) released a tool to help practices conduct and document a comprehensive assessment to identify risks in their organizations. The Security Risk Analysis tool also produces a report that can be useful for audits.

Download the ONC Security Risk Analysis tool >>

Since your practice is unique and you know your practice best, you are ultimately responsible for adopting and implementing security and privacy measures that are appropriate and reasonable for your practice's needs and capabilities.

For additional support, you should consult with a qualified professional who can use his or her expertise to help mitigate potential risks, identify potential areas for improving security, and train your staff. CMS published a Security Risk Analysis Tip Sheet specific to the EHR Incentive Program, but it may be helpful if your practice did not complete this requirement prior to participating in MIPS. Please reach out to CMS directly to understand how the information in the Security Risk Analysis tip sheet should be applied by eligible clinicians participating in MIPS.

Make sure to keep any documentation you use for your records to prove you have completed this measure during your reporting year. It is acceptable for the security risk analysis to be conducted outside the selected MIPS performance period, however, the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and the analysis must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).

More information

  • Review the CMS specifications for more information about the Advancing Care Information Transitional measures.

  • For more information on the Merit-based Incentive Payment System (MIPS) program, you can visit Practice Fusion’s Quality Payment Program Center.

  • CMS also provides further resources about the Quality Payment Program here.

Quality Payment Program

  1. 2018 Quality Payment Program: What is the Merit-Based Incentive Payment System (MIPS)
  2. What is the MIPS Dashboard watch list and how do I use it?
  3. How does the MIPS Dashboard work?
  4. What is the Promoting Interoperability (formerly Advancing Care Information) performance category in MIPS?
  5. 2018 What is the Quality performance category in MIPS?
  6. 2018 What are Improvement Activities in MIPS?
  7. Which Improvement Activities qualify for the Promoting Interoperability performance category bonus in 2018?
  8. What is the Cost performance category of MIPS and how is it scored in 2018?
  9. How is the MIPS Final Score Calculated in 2018?
  10. What is a MIPS eligible clinician in 2018?
  11. MIPS for Small, Rural and Underserved Practices
  12. 2018 PI Transition Measure: Medication Reconciliation
  13. 2018 PI Transition Measure: Electronic Prescribing (eRx)
  14. 2018 PI Transition Measure: Secure Messaging
  15. 2018 PI Transition Measure: Security Risk Analysis
  16. 2018 PI Transition Measure: Health Information Exchange
  17. 2018 PI Transition Measure: Immunization Registry Reporting
  18. 2018 PI Transition Measure: Specialized Registry Reporting
  19. 2018 PI Transition Measure: Syndromic Surveillance Reporting
  20. 2018 PI Transitional Measure: View, Download, or Transmit (VDT)
  21. 2018 PI Transition Measure: Provide Patient Access
  22. 2018 PI Transition Measure: Patient-Specific Education
  23. What is the Practice Fusion QCDR?
  24. 2017 Quality Payment Program: What is the Merit-Based Incentive Payment System (MIPS)
  25. How do I report my 2017 MIPS data to CMS using the Practice Fusion QCDR?
  26. What is the Advancing Care Information (ACI) Performance Category for MIPS and how is it scored?
  27. 2017 ACI Transition Measure: Security Risk Analysis
  28. 2017 ACI Transition Measure: Electronic Prescribing (eRx)
  29. 2017 ACI Transition Measure: Provide Patient Access
  30. 2017 ACI Transition Measure: Health Information Exchange
  31. 2017 ACI Transition Measure: View, Download, or Transmit (VDT)
  32. 2017 ACI Transition Measure: Patient-Specific Education
  33. 2017 ACI Transition Measure: Secure Messaging
  34. 2017 ACI Transition Measure: Medication Reconciliation
  35. 2017 ACI Transition Measure: Immunization Registry Reporting
  36. 2017 ACI Bonus Measure: Syndromic Surveillance Reporting
  37. 2017 ACI Bonus Measure: Specialized Registry Reporting
  38. What is the Improvement Activities Performance Category for MIPS?
  39. What are the Quality performance category reporting requirements for MIPS?
  40. What is the difference between the two Advancing Care Information measure sets available in 2017?
  41. What are Alternative Payment Models (APMs) and Advanced APMs?
  42. What is Comprehensive Primary Care Plus (CPC+)?
  43. Which Improvement Activities Qualify for the Advancing Care Information (ACI) Bonus Score in 2017?
  44. How do I contact CMS about the Quality Payment Program?
  45. How do I indicate interest in the Practice Fusion QCDR and get my MIPS estimated scores?
  46. Chronic Care Management FAQs
  47. How do I export a JSON file for 2017 MIPS reporting?
  48. How is the MIPS Final Score Calculated in 2017?

Feedback and Knowledge Base

(thinking…)