This measure was for 2018 MIPS ACI reporting. View 2019 version ->
For use with CEHRT certified to the 2015 edition.
Measure Description
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.
| Measure ID | Objective | Required for Base Score? | Percentage of Performance Score |
|---|---|---|---|
| ACI_PPHI_1 | Protect Patient Health Information | Yes | 0% |
Reporting Requirements
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Definition of Terms & Additional Information
- • At minimum, MIPS eligible clinicians should be able to show a plan for correcting or mitigating deficiencies and that steps are being taken to implement that plan.
- • The parameters of the security risk analysis are defined 45 CFR 164.308(a)(1), which was created by the HIPAA Security Rule. MIPS does not impose new or expanded requirements on the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in certification of EHR technology. More information on the HIPAA Security Rule can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
- • HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk- analysis/index.html.
- • Additional free tools and resources available to assist providers include a Security Risk Assessment (SRA) Tool developed by ONC and OCR: http://www.healthit.gov/providers- professionals/security-risk-assessment-tool.