Updated January 2020. Note, there were no substantive changes to this measure between 2019 and 2020.
All reporting options are available for both group and individual attestation of PI measures.
Required for PI Category Score? Yes
Measure Points: None
Exclusions available? No
Measure ID: PI_PPHI_1
Conduct an annual security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS-eligible clinician's risk management process. The security risk analysis must be preformed when 2015 CEHRT is implemented.
Definition of Terms
e-PHI: Electronic protected health information. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.
Security Risk Analysis Legal Requirements:
||Security Areas to Consider Within the Category
||Examples of Potential Security Measures
- Your facility and other places where patient data is accessed
- Computer equipment
- Portable devices
- Building alarm systems
- Locked offices
- Screens shielded from secondary viewers
- Designated security officer
- Workforce training and oversight
- Controlling information access
- Periodic security reassessment
- Staff training
- Monthly review of user activities
- Policy enforcement
- Controls on access to EHR
- Use of audit logs to monitor users and other EHR activities
- Measures that keep electronic patient data from improper changes
- Secure, authorized electronic exchanges of patient information
- Secure passwords
- Backing-up data
- Virus checks
- Data encryption
Policies & Procedures
- Written policies and procedures to assure HIPAA security compliance
- Documentation of security measures
- Written protocols on authorizing users
- Record retention
- Business associate agreements
- Plan for identifying and managing vendors who access, create or store e-PHI
- Agreement review and updates
Business Associate Contracts. A contract or other written arrangement with business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must:
- Describe the permitted and required uses of protected health information by the business associate;
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
HHS has provided a Sample Business Associate Contract.
Attestation: Attest "Yes"
To meet this measure, eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Sample Security Risk Analysis
Documentation that you completed this measure must include evidence of both of the following:
|Security risk analysis that documents the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI of the eligible clinician, addresses encryption/security of data stored in the CEHRT, and identifies it was performed for the clinician's system;
|Documentation of implementing security updates and correcting identified security deficiencies.
How CMS Scores Your Performance
This is not a scored measure, but it is required. The Security Risk Analysis measure is evaluated based on attestation.