Discovery of Failure to Conduct Security Risk Assessment Jeopardizes Positive Medicare Payment Adjustment under MIPS

Security Risk Assessment

compliments of

October 10, 2017. HIPAA Integrity® commends to your attention the October 6, 2017, Health Data Management article by John Morrissey entitled: “Lack of security risk assessment could trim Medicare payments.”


The Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health and Human Services (HHS) has implemented the Merit-based Incentive Payment System (MIPS), an initiative of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) that is applicable to clinicians participating in Medicare Part B. According to CMS, the Quality Payment Program has two tracks eligible clinicians can choose to participate in:


  • Advance Alternative Payment Models (APMs) or
  • Merit-based Incentive Payment System (MIPS),


based on “practice size, specialty, location, or patient population. Participation in MIPS, the concern here, provides the participating clinician a “performance-based payment adjustment” to Medicare payments based on “evidence-based and practice-specific quality data.”


MIPS is comprised of four categories with weights of importance in the new program:


  • Quality that replaces the Physician Quality Reporting System (PQRS)—60%.
  • Advancing Care Information that replaces the Medicare Electronic Health Record (EHR) Incentive Program known as Meaningful Use—25%.
  • Improvement Activities that is a new category—15%.
  • Cost that replaces the Value-based Modifier—no weight, but calculated from adjudicated claims.


The Advancing Care Information category has 15 measures—five of which are required for a base score—and pertains to participating clinicians who have and use certified electronic health record technology. The five required measures are: e-Prescribing, Provide Patient Access, Request/Accept Summary of Care, Security Risk Analysis, Send a Summary of Care. CMS cautions: “Remember, in order to get credit for advancing care information, you must submit information for the required measures.”


We want to focus now on the Advancing Care Information Objective: Protect Patient Health Information and the Security Risk Analysis Measure:


“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.”


The Code of Federal Regulations (CFR) citations in the Measure refer to provisions of the HIPAA Security Rule.


Under MIPS, the initial performance period is 2017: January 1-December 31, with start of collection of performance data exercised before October 2, 2017. Performance data for 2017—either full year or a 90-day period—must be submitted to CMS by March 31, 2018. In 2018, CMS provides feedback about performance based on an evaluation of submitted data. A positive MIPS payment adjustment for 2019 would be based on the results and start on January 1 of that year. For more information, visit the “What’s the Quality Payment Program?” and see the section: “Pick Your Pace in MIPS” to determine types of payment adjustments based on the type of data submitted.


The important point that the Morrissey article makes and that HIPAA Integrity® wants to reinforce is that failure to provide evidence of having conducted a risk assessment not only can impair receipt of Medicare payments under MIPS, but also subject your organization to significant financial penalties under the HIPAA Security Rule that range, for willful neglect—not corrected violations, to a mandatory range of $55,910-$1,677,299 per violation. HIPAA Integrity® not only provides a risk analysis template in plain language for self-assessment of vulnerabilities and threats to protected health information that your organization creates, receives, maintains, or transmits, but also a concordance between HIPAA Security Rule standards and implementation specifications and MIPS Security Risk Analysis Measure criteria pertaining to certified electronic health record (EHR) technology.



  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)