• Measure PI_PPHI_1: Security Risk Analysis


    Updated January 2020. Note, there were no substantive changes to this measure between 2019 and 2020.

    Reporting options: 

    All reporting options are available for both group and individual attestation of PI measures.

    Required for PI Category Score? Yes

    Measure Points: None 

    Exclusions available? No

    Measure ID: PI_PPHI_1

    Measure Description

    Conduct an annual security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS-eligible clinician's risk management process. The security risk analysis must be preformed when 2015 CEHRT is implemented.

    Definition of Terms

     e-PHI:  Electronic protected health information. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.

    Security Risk Analysis Legal Requirements:

    Security Categories Security Areas to Consider Within the Category  Examples of Potential Security Measures
    Physical Safeguards
    • Your facility and other places where patient data is accessed
    • Computer equipment
    • Portable devices
    • Building alarm systems
    • Locked offices
    • Screens shielded from secondary viewers
    Administrative Safeguards
    • Designated security officer
    • Workforce training and oversight
    • Controlling information access
    • Periodic security reassessment
    • Staff training
    • Monthly review of user activities
    • Policy enforcement
    Technical Safeguards
    • Controls on access to EHR
    • Use of audit logs to monitor users and other EHR activities
    • Measures that keep electronic patient data from improper changes
    • Secure, authorized electronic exchanges of patient information
    • Secure passwords
    • Backing-up data
    • Virus checks
    • Data encryption

    Policies & Procedures

    • Written policies and procedures to assure HIPAA security compliance
    • Documentation of security measures
    • Written protocols on authorizing users
    • Record retention

    Organizational requirements

    • Business associate agreements
    • Plan for identifying and managing vendors who access, create or store e-PHI
    • Agreement review and updates

    Business Associate Contracts. A contract or other written arrangement with business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must:

    • Describe the permitted and required uses of protected health information by the business associate;
    • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and
    • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.  

    HHS has provided a Sample Business Associate Contract

    Attestation Requirements

    Attestation: Attest "Yes"

    To meet this measure, eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

    Suggested Documentation

    Sample Security Risk Analysis

    Documentation that you completed this measure must include evidence of both of the following:

    Security risk analysis that documents the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI of the eligible clinician, addresses encryption/security of data stored in the CEHRT, and identifies it was performed for the clinician's system;
    and
    Documentation of implementing security updates and correcting identified security deficiencies.

    How CMS Scores Your Performance

    This is not a scored measure, but it is required. The Security Risk Analysis measure is evaluated based on attestation.