What You Need To Know
While a Security Risk Analysis (SRA) is not a Promoting Interoperability (PI) stand-alone measure for 2019, MIPS-eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Failure to complete these required actions will result in no score for the PI category.
Four Criteria To Meet When Completing an SRA
It is acceptable for the SRA to be conducted or reviewed outside the performance period, but the analysis must:
- Be unique for each performance period,
- Include the full MIPS performance period,
- Be conducted within the current calendar year.
- Be completed when a 2015 Edition CEHRT is implemented or upon installation or upgrade to a new system.
For More Information
For more details, review the 2019 MIPS Promoting Interoperability - Security Risk Assessment fact sheet.