MIPS or the Merit-based Incentive Payment System is a performance-based reimbursement program under Medicare, developed by the Centers for Medicare & Medicaid Services (CMS) to reward healthcare providers for quality, cost-effective care. MIPS adjusts Medicare payments based on a provider’s performance in four key categories:
Quality
Cost
Improvement Activities
Promoting Interoperability (PI)
Security Risk Analysis (SRA) & Scoring for MIPS
Each category in MIPS contributes a specific weight to the overall MIPS score, with Promoting Interoperability focusing on the secure and effective use of Electronic Health Record (EHR) systems. This category encourages providers to use technology to improve patient care in addition to implementing strong cybersecurity practices to protect patient data.
Promoting Interoperability contributes significantly to the overall score, and one of its key requirements is the Security Risk Analysis (SRA). This requirement is directly aligned with the HIPAA Security Rule and is essential for ensuring the safety and privacy of electronic Protected Health Information (ePHI).
SRA Deadlines for MIPS Compliance
To meet the MIPS requirements, your SRA must be completed by the end of the reporting year (usually December 31). For instance, if you’re reporting for the 2024 performance year, your SRA should be completed by December 31, 2024. Missing this deadline can impact your Promoting Interoperability score and potentially reduce your overall MIPS score, affecting Medicare payment adjustments.
What the Security Risk Analysis (SRA) for MIPS Includes
An SRA is a systematic process that helps healthcare providers assess and manage potential risks to the confidentiality, integrity, and availability of ePHI. Here’s what a thorough SRA should include:
Risk Identification: This includes identifying all locations where ePHI is stored, accessed, or transmitted, including EHR systems, laptops, mobile devices, cloud storage, and network servers. It also includes assessing threats to ePHI security, such as unauthorized access, data breaches, or natural disasters.
Risk Assessment and Prioritization: This includes evaluating the likelihood and possible impact of each identified threat. Going one step further, you also need to prioritize high-risk areas that could compromise sensitive patient information or disrupt patient care.
Security Measures Implementation: After identifying risks, you need to develop and implement security measures to protect ePHI. These might include access controls, encryption, firewall configuration, secure data transmission, and robust authentication protocols.
Review of Current Security Measures: This includes assessing existing security controls and determining if they are effective. You also need to adjust or enhance measures as and when needed to address any new or evolving threats to ePHI.
Documentation of Findings and Corrective Actions: You need to document the findings from the SRA along with any actions you have taken to address vulnerabilities. This documentation is crucial for MIPS compliance and will be needed if CMS requests an audit.
Continuous Monitoring and Updates: An SRA is not a one-time event; it should be revisited and updated every year or whenever significant changes occur in the practice’s technology or workflow.
Best Practices for a Successful SRA for MIPS
Plan Early and Schedule Regular Assessments: Start your SRA well in advance to give yourself ample time to address any identified risks. Conduct the SRA annually and consider additional assessments after major changes like adopting a new EHR system. Since an SRA conducted by your EHR company will not be sufficient for MIPS and may result in a failure to meet this requirement during an audit, you need to plan for your own SRA and plan to mitigate risks.
Engage Your Entire Team: Involve all staff members who interact with ePHI. Educate them on the importance of security practices, such as password protection and recognizing phishing attempts.
Use a Comprehensive SRA Checklist: A detailed checklist will help to ensure that you have addressed all aspects of ePHI security. CMS and the Office for Civil Rights (OCR) offer resources, including checklists and tools, to guide you through the SRA process.
Utilize Encryption and Strong Access Controls: Ensure that all ePHI is encrypted, especially on portable devices. Implement multi-factor authentication (MFA) and restrict access based on job roles to prevent unauthorized access.
Document Everything: Maintain records of all SRA findings, the corrective actions you’ve taken, and the security policies you’ve implemented. This documentation is critical for demonstrating MIPS compliance and provides a record for future assessments.
6. Conduct Security Awareness Training & Phishing Awareness Training: Regularly train staff on cybersecurity best practices, as well as how to recognize and report phishing emails and avoid risky behaviors. A well-trained team is one of your best defenses against cyber threats.
7. Develop & Test an Incident Response Plan: Prepare a response plan in case of a data breach or security incident. Regularly test the plan to ensure your team knows how to respond quickly and minimize the impact on patient data.
The Impact of a Security Risk Analysis on your MIPS Score
A well-executed Security Risk Analysis (SRA) helps to ensure that your practice meets the ‘Protect Patient Health Information‘ measure under the Promoting Interoperability category. It is also an investment in the long-term security and success of your practice since it helps you strengthen your practice’s overall resilience against cyber threats.
Since an SRA directly contributes to your MIPS score, meeting this requirement not only ensures compliance but also improves your chances of receiving positive payment adjustments. Failing to complete an SRA, however, can lower your MIPS score, resulting in penalties.
Meet your SRA deadlines and Protect ePHI with databrackets
At databrackets, we are a team of certified and experienced security experts with over 12 years of experience across industries. We have conducted hundreds of SRAs for MIPS and worked with the HHS and their auditors on what is required.
We have been working with Healthcare Providers for over 12 years and offer 3 Engagement Options – our DIY Toolkits (ideal for MSPs and mature in-house IT teams), and Hybrid or Consulting Services for Compliance / Security Standards.
For MIPS, we add value to your application in a variety of ways:
Our team conducts an end-to-end analysis as part of our Security Risk Analysis (SRA), and helps you to identify areas of improvement, take corrective actions and access relevant staff training modules.
We support your practice during a CMS / Medicaid Audit, if required.
We identify key vulnerabilities in your systems which helps you to comply with the HIPAA federal/state requirements as well
Time is of essence. Our team helps you plan and complete all tasks within the deadline.
Overview of databrackets
Our team of security experts has supported organizations across a wide variety of industries to align their processes with security frameworks like ISO 27001:2022, SOC 2, HIPAA, 21 CFR Part 11, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC etc. We are an authorized certifying body for ISO 27001 and a Registered Practitioner Organization for CMMC. We also have partnerships to help clients prepare for and obtain other security certifications.
We have helped organizations of all sizes comply with cybersecurity best practices, utilize and customize our staff training modules and prove their compliance with security standards. We enable organizations to expand their business opportunities and assure existing clients of their commitment to protecting sensitive information and maintaining high standards of security and privacy.
We are constantly expanding our library of assessments and services to serve organizations across industries. Schedule a Consultation if you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements.
Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com
Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations.
Technical Expert: Srini Kolathur, Director, databrackets.com
The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework, HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.