menu toggle

MIPS and your practice’s Security Risk Analysis


Ensuring your patient data is safe can be a very complicated process. Ransomware attacks have increased – even at large health centers or university-based facilities where they have a large staff managing their IT services. A data breach can be costly to your practice. 

The purpose of a Security Risk Analysis (SRA) – which must be completed annually as you attest in your Merit-based Incentive Payment System (MIPS) submission – is to find those gaps or risks with the security of your patients’ health information. The SRA looks at administrative, physical, and technical safeguards in your practice.

  • Administrative: looks at the policies and procedures in place to help prevent a data breach, as well as implementing a security training for all staff.
  • Physical: looks at the mechanisms that protect your systems – like a locked server room, visitor restrictions, off-site backups, etc.
  • Technical: looks at those automated processes you use to protect health information – like encrypted messaging, secure passwords that are changed when staff leave your employment, secure wireless networks, locking workstations, etc.

For MIPS submissions, the Security Risk Analysis must be completed annually and attested to under the Promoting Interoperability category.  If you cannot attest to completing the analysis, your practice will receive no score in the category, regardless of whether other measures in the category are reported.

When the Centers for Medicare & Medicaid Services (CMS) conducts an audit of a practice, they typically ask for the completed SRA to be sent to them for review. CMS is allowed to request documentation from the previous six years.

In addition, CMS will check that you have included all forms of electronic media – from your hard drives, CDs, DVDs, and smart cards to the types of devices you use – laptops, iPads, smart phones, etc. Any device that has protected patient healthcare information is included in the SRA.

In addition to the Security Risk Analysis, a new measure was introduced for completion in 2022 under the Protect Patient Health Information objective which is the Safety Assurance Factors for EHR Resilience (SAFER) Guides.  This is a series of nine guides that address safety in a variety of areas.

The Office of the National Coordinator for Health Information Technology (ONC) created the Top 10 Myths of Security Risk Analysis to help your practice better understand its responsibilities.  To view the myths, visit:

The Quality Reporting Engagement Group has a Security Risk Analysis toolkit which allows you to see all of the criteria you need to consider for your practice when conducting the analysis. If you would like to learn more how the team can help you with your SRA, contact