MIPS or the Merit-based Incentive Payment System is a performance-based reimbursement program under Medicare, developed by the Centers for Medicare & Medicaid Services (CMS) to reward healthcare providers for quality, cost-effective care. MIPS adjusts Medicare payments based on a provider’s performance in four key categories:
Quality (30%)
Cost (30%)
Promoting Interoperability (25%)
Improvement Activities (15%)
Each category contributes a specific weight to your overall MIPS score. For 2025, you need to score at least 75 points to avoid negative payment adjustments. Your performance in 2025 will affect your Medicare Part B payments in 2027, with a maximum penalty of -9% for scores at or below 18.75 points.
Understanding the MIPS Categories
1. The Quality category includes 195 measures for the 2025 performance period. You’ll need to report each quality measure on at least 75% of eligible encounters to meet data completeness requirements.
2. The Cost category now includes six new episode-based measures covering conditions like Chronic Kidney Disease, End-Stage Renal Disease, Kidney Transplant Management, Prostate Cancer, and Rheumatoid Arthritis.
3. For Improvement Activities, the requirements have been simplified. If you have small practice, rural, non-patient facing, or health professional shortage area status, you must attest to 1 activity. All other clinicians and groups must attest to 2 activities. Activity weightings have been removed for 2025.
4. The Promoting Interoperability category focuses on the secure and effective use of Electronic Health Record (EHR) systems. This category encourages providers to use technology to improve patient care in addition to implementing strong cybersecurity practices to protect patient data.
Alternative Reporting: MIPS Value Pathways
You also have the option to report through MIPS Value Pathways (MVPs) instead of traditional MIPS. There are 21 MVPs available for 2025, including new pathways for ophthalmology, dermatology, gastroenterology, pulmonology, urology, and surgical care. MVPs offer a streamlined, specialty-focused reporting approach.
Security Risk Analysis (SRA) & Scoring for MIPS
Promoting Interoperability contributes 25% to your overall score, and one of its key requirements is the Security Risk Analysis (SRA). This requirement is directly aligned with the HIPAA Security Rule and is essential for ensuring the safety and privacy of electronic Protected Health Information (ePHI).
Here’s the critical thing you need to understand: The Security Risk Analysis measure is not scored and does not contribute any points to your MIPS total. However, failure to complete the required actions for the Security Risk Analysis will result in zero points for the entire Promoting Interoperability performance category. This means you’ll lose 25% of your total MIPS score, which can significantly impact your Medicare payment adjustments.
SRA Deadlines for MIPS Compliance
To meet the MIPS requirements, your SRA must be conducted within the calendar year (January 1 – December 31, 2025). The analysis must be unique for each performance period, and the scope must include the full performance period. While the SRA must be conducted within the calendar year, it doesn’t have to be completed during your actual Promoting Interoperability reporting period.
For your Promoting Interoperability data, you must submit information for a minimum of 180 consecutive days within the calendar year. Missing these deadlines can result in zero points for your Promoting Interoperability score and potentially reduce your overall MIPS score, affecting Medicare payment adjustments.
New Requirement: SAFER Guide Assessment
In addition to completing your SRA, you must perform an Annual Assessment of the High Priority Practices Guide from the SAFER Guides and attest “yes” during the calendar year. Both the SRA and SAFER Guide assessments are required attestations for the Promoting Interoperability category.
What the Security Risk Analysis (SRA) for MIPS Includes
An SRA is a systematic process that helps healthcare providers assess and manage potential risks to the confidentiality, integrity, and availability of ePHI. Here’s what a thorough SRA should include:
1. Risk Identification: This includes identifying all locations where ePHI is stored, accessed, or transmitted, including EHR systems, laptops, mobile devices, cloud storage, and network servers. It also includes assessing threats to ePHI security, such as unauthorized access, data breaches, or natural disasters.
2. Risk Assessment and Prioritization: This includes evaluating the likelihood and possible impact of each identified threat. Going one step further, you also need to prioritize high-risk areas that could compromise sensitive patient information or disrupt patient care.
3. Security Measures Implementation: After identifying risks, you need to develop and implement security measures to protect ePHI. These might include access controls, encryption, firewall configuration, secure data transmission, and robust authentication protocols.
4. Review of Current Security Measures: This includes assessing existing security controls and determining if they are effective. You also need to adjust or enhance measures as and when needed to address any new or evolving threats to ePHI.
5. Documentation of Findings and Corrective Actions: You need to document the findings from the SRA along with any actions you have taken to address vulnerabilities. This documentation is crucial for MIPS compliance and will be needed if CMS requests an audit.
6. Continuous Monitoring and Updates: An SRA is not a one-time event; it should be revisited and updated every year or whenever significant changes occur in the practice’s technology or workflow.
Best Practices for a Successful SRA for MIPS
1. Plan Early and Schedule Regular Assessments: Start your SRA well in advance to give yourself ample time to address any identified risks. Conduct the SRA annually and consider additional assessments after major changes like adopting a new EHR system. Since an SRA conducted by your EHR company will not be sufficient for MIPS and may result in a failure to meet this requirement during an audit, you need to plan for your own SRA and plan to mitigate risks.
2. Engage Your Entire Team: Involve all staff members who interact with ePHI. Educate them on the importance of security practices, such as password protection and recognizing phishing attempts.
3. Use a Comprehensive Security Risk Assessment (SRA): An in-depth SRA will help to ensure that you have addressed all aspects of ePHI security. CMS and the Office for Civil Rights (OCR) offer resources, including checklists and tools, to guide you through the SRA process.
4. Utilize Encryption and Strong Access Controls: Ensure that all ePHI is encrypted, especially on portable devices. Implement multi-factor authentication (MFA) and restrict access based on job roles to prevent unauthorized access.
5. Document Everything: Maintain records of all SRA findings, the corrective actions you’ve taken, and the security policies you’ve implemented. This documentation is critical for demonstrating MIPS compliance and provides a record for future assessments.
6. Conduct Security Awareness Training & Phishing Awareness Training: Regularly train staff on cybersecurity best practices, as well as how to recognize and report phishing emails and avoid risky behaviours. A well-trained team is one of your best defences against cyber threats.
7. Develop & Test an Incident Response Plan: Prepare a response plan in case of a data breach or security incident. Regularly test the plan to ensure your team knows how to respond quickly and minimize the impact on patient data.
Important Notes on Data Submission
If you submit Promoting Interoperability data multiple times, CMS will calculate a score for each submission received and assign you the highest score. This gives you flexibility to improve your submission if needed.
If you’ve delegated your data submission to a third-party intermediary, be aware that you can request reweighting if your data is inaccessible and unable to be submitted due to reasons outside your control when the third party fails to submit.
Special note for clinical social workers: Automatic reweighting is no longer available for the Promoting Interoperability category starting with the 2025 performance period.
The Impact of a Security Risk Analysis on Your MIPS Score
A well-executed Security Risk Analysis helps to ensure that your practice meets the ‘Protect Patient Health Information’ measure under the Promoting Interoperability category. It is also an investment in the long-term security and success of your practice since it helps you strengthen your practice’s overall resilience against cyber threats.
Since an SRA directly impacts your ability to score in the Promoting Interoperability category, meeting this requirement not only ensures compliance but also improves your chances of receiving positive payment adjustments. Failing to complete an SRA, however, can result in losing the entire 25% of your score allocated to Promoting Interoperability, resulting in penalties.
Meet Your SRA Deadlines and Protect ePHI with databrackets
At databrackets, we are a team of certified and experienced security experts with over 14 years of experience across industries. We have conducted hundreds of SRAs for MIPS and worked with the HHS and their auditors on what is required.
We have been working with Healthcare Providers for over 14 years and offer 3 Engagement Options – our DIY Toolkits (ideal for MSPs and mature in-house IT teams), and Hybrid or Consulting Services for Compliance / Security Standards.
For MIPS, we add value to your application in a variety of ways:
- Our team conducts an end-to-end analysis as part of our Security Risk Analysis (SRA), and helps you to identify areas of improvement, take corrective actions and access relevant staff training modules.
- We support your practice during a CMS / Medicaid Audit, if required.
- We identify key vulnerabilities in your systems which helps you to comply with the HIPAA federal/state requirements as well.
- Time is of essence. Our team helps you plan and complete all tasks within the deadline.
Overview of databrackets
Our team of security experts has supported organizations across a wide variety of industries to align their processes with security frameworks like ISO 27001:2022, SOC 2, HIPAA, 21 CFR Part 11, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC etc. We are an authorized certifying body for ISO 27001 and a Registered Practitioner Organization for CMMC. We also have partnerships to help clients prepare for and obtain other security certifications.
We have helped organizations of all sizes comply with cybersecurity best practices, utilize and customize our staff training modules and prove their compliance with security standards. We enable organizations to expand their business opportunities and assure existing clients of their commitment to protecting sensitive information and maintaining high standards of security and privacy.
We are constantly expanding our library of assessments and services to serve organizations across industries. Schedule a Consultation if you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements.
Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com
Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations.
Technical Expert: Srini Kolathur, Director, databrackets.com
The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework, HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.