Client Login

Request Demo

Mid-Week MACRA Minute – Security Risk Assessment

Helping you put the MIPS pieces together each week!

The importance of having and maintaining an up-to-date Security Risk Assessment

Security risk assessments have been required for the past 12 years and it was also a requirement of the Meaningful Use program in previous years.

HIPAA requires that covered entities conduct a risk assessment of their healthcare organization to help ensure compliance with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also identifies areas where your patient’s protected health information (PHI) might be at risk.

Conducting or reviewing a security risk assessment to meet HIPAA standards is an important part of the Merit-based Incentive Payment System (MIPS). The requirements have not changed from a security risk perspective however, the penalties for noncompliance are much greater than previous years. NOT conducting a security risk assessment could cost providers 25% of their MIPS payment. And incorrectly reporting that a security risk assessment has been performed can cost your practice stiff penalties in the event of an audit.

The security risk assessment requirement of MIPS is included in the Advancing Care Information (ACI) category. Providers who do not have a security risk assessment in place won’t meet the BASE score requirement for the ACI category, therefore earning a 0% in the ACI category which is 25% of your total MIPS score. That’s a huge chunk of your potential earnings that is at stake.

Practices need to act now to make sure there is a security risk assessment in place to meet the HIPAA security requirements and make sure that risk assessment is updated on a consistent basis.

Remember that HIPAA security risk analysis goes beyond your EHR security and can include employee computer password and physical security as well as HIPAA administration requirements. Therefore,

MIPS ACI Security Risk Analysis Measure Specifications (Transition Measures)

Tools to assist with conducting a Security Risk Assessment


If you have questions, contact the Quality Payment Program at 1-866-288-8292 (TTY) M-F 8:00am – 8:00pm EST or email [email protected].

Contact us to find out more about MediSYS at [email protected] or 205-631-5969.