Security Risk Analysis for 2018 MACRA/MIPA Reporting

Security Risk Analysis for 2018 MACRA/MIPS Reporting The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) replaced three quality programs (the Medicare Electronic Health Record (EHR) Incentive program, the Physician Quality Reporting System (PQRS), and the Value-Based Payment Modifier (VM) with the Quality Payment Program. This one program will give Medicare physicians and clinicians a chance to be paid more for giving better care.

There are two ways to take part in this program:
• Merit-based Incentive Payment System (MIPS)
• Advanced Alternative Payment Models (APMs)

Under MIPS, there are four connected pillars that affect how you will be paid by Medicare – Quality, Clinical Practice Improvement Activities (referred to as “Improvement Activities”), Certified EHR Technology (referred to as “Advancing Care Information”), and Resource Use (referred to as “Cost”). At its core, the Quality Payment Program is about improving the quality of patient care.

In determining a total score, specific weights are assigned to each of the four performance categories

  1. Quality
  2. Cost
  3. Improvement activities
  4. Advancing Care Information – 25%

The Advancing Care Information performance category replaces the Medicare EHR Incentive Program for
eligible professionals, also known as Meaningful Use.

How the  Advancing Care Information performance category score is calculated?

For scoring purposes, in the Advancing Care Information performance category (weighted at 25% of the total score), MIPS eligible clinicians may earn a maximum score of up to 155%, but any score above 100% will be capped at 100%. This structure was deliberately created to ensure that clinicians have the flexibility to focus on measures that are the most relevant to them and their practices.

The Advancing Care Information score is the combined total of the following three scores:

  1. Base Score – 50%
  2. Performance Score – Up to 90%
  3. Bonus Score – Up to 15%

How is the Base Score Calculated?

MIPS eligible clinicians need to fulfill the requirements of all the base score measures in order to receive the 50% base score. If these requirements are not met, they will get a 0 in the overall Advancing Care Information performance category score.

The base score Advancing Care Information measures are:
1. Security Risk Analysis
2. e-Prescribing
3. Provide Patient Access
4. Send a Summary of Care
5. Request/Accept Summary of Care

In order to receive the 50% base score, MIPS eligible clinicians must submit a “YES” for the security risk analysis measure, and at least a 1 in the numerator for the numerator/denominator of the remaining measures. 

Online DIY Security Risk Analysis Toolkit Demo


Merit-Based Incentive Payment System (MIPS) Advancing Care Information Performance Category Transition Measure – 2018 Performance Period

Objective:Protect Patient Health Information
Measure:Security Risk Analysis:
Conduct or review a security risk analysis in accordance with the requirements in 45CFR64.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process

Industry certified professionals EHR2.0 can help you meet this requirement.

In 2018, MIPS eligible clinicians can report the Advancing Care Information Transition Measures if they have technology certified to the 2014 Edition or technology certified to the 2015 Edition, or a combination of technologies certified to the 2014 and 2015 Editions.
• The Security risk analysis measure contributes to the base score for the Advancing Care Information performance
category. MIPS eligible clinicians must submit a “yes” for the security risk analysis measure to receive credit toward the base score. Submitting a “no” for this measure will result in a base score of 0%. More information about Advancing Care Information scoring is available on the QPP website.
• MIPS eligible clinicians must conduct or review a security risk analysis including addressing encryption/security of data created or maintained by CEHRT, and implement updates as necessary at least once each calendar year and attest to conducting the analysis or review.
• An analysis must be done upon installation or upgrade to a new system and a review must be conducted covering each MIPS performance period. Any security updates and deficiencies that are identified should be included in the clinician’s risk management process and implemented or corrected as dictated by that process.
• It is acceptable for the security risk analysis to be conducted outside the MIPS performance period; however, the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).
• The parameters of the security risk analysis are defined 45 CFR 164.308(a)(1), which is part of the HIPAA Security Rule. The measure does not impose new or expanded requirements in addition to the HIPAA Security Rule nor does it require specific use of every certification and standard that is included in the certification of EHR technology. More information on the HIPAA Security Rule can be found at:

At EHR 2.0 we assist healthcare organizations and business associates develop and implement practices to secure patient data, and comply with MACRA/MIPS/HIPAA regulations. Contact us at 866-276-8309 for more information.


The following two tabs change content below.
Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations. With several years of experience in the IT and health care industries, databrackets is poised to meet the needs of your organization via: - Consulting Services - Online, Do-it-yourself Toolkits for Security Risk Assessment - Education (Training, Webinar, and Workshops) For details on how databrackets can provide customized assistance for your organization, please contact us at