Helping you put the MIPS pieces together each week!
The importance of having and maintaining an up-to-date Security Risk Assessment
Security risk assessments have been required for the past 12 years and it was also a requirement of the Meaningful Use program in previous years.
HIPAA requires that covered entities conduct a risk assessment of their healthcare organization to help ensure compliance with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also identifies areas where your patient’s protected health information (PHI) might be at risk.
Conducting or reviewing a security risk assessment to meet HIPAA standards is an important part of the Merit-based Incentive Payment System (MIPS). The requirements have not changed from a security risk perspective however, the penalties for noncompliance are much greater than previous years. NOT conducting a security risk assessment could cost providers 25% of their MIPS payment. And incorrectly reporting that a security risk assessment has been performed can cost your practice stiff penalties in the event of an audit.
The security risk assessment requirement of MIPS is included in the Advancing Care Information (ACI) category. Providers who do not have a security risk assessment in place won’t meet the BASE score requirement for the ACI category, therefore earning a 0% in the ACI category which is 25% of your total MIPS score. That’s a huge chunk of your potential earnings that is at stake.
Practices need to act now to make sure there is a security risk assessment in place to meet the HIPAA security requirements and make sure that risk assessment is updated on a consistent basis.
Remember that HIPAA security risk analysis goes beyond your EHR security and can include employee computer password and physical security as well as HIPAA administration requirements. Therefore,
MIPS ACI Security Risk Analysis Measure Specifications (Transition Measures)
Tools to assist with conducting a Security Risk Assessment
- More information on the HIPAA Security Rule regarding the security risk analysis can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
- Visit the Resource Library of the Quality Payment Program website to download the measure specifications for the Security Risk Analysis ACI measure: https://qpp.cms.gov/about/resource-library
- HHS Office for Civil Rights (OCR) has issued guidance on conducting a security risk analysis in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
- Additional free tools and resources available to assist healthcare providers include a Security Risk Assessment (SRA) Tool developed by ONC and OCR: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.
If you have questions, contact the Quality Payment Program at 1-866-288-8292 (TTY) M-F 8:00am – 8:00pm EST or email [email protected].
Contact us to find out more about MediSYS at [email protected] or 205-631-5969.