see all


Data Security-994839-edited.jpgIf you are one of the physicians who thought you could sit back and watch the Meaningful Use train pass by—think again. It’s back. And this time, there is a carrot and a stick.

MACRA rebranded MU as Advancing Care Information (ACI) under the new Merit-Based Incentive Payment System (MIPS). MIPS also includes measures for Quality, Improvement Activities and Cost. That means data security is about to become a lot more meaningful to the physicians and other clinicians who  sat out the MU program but entering MIPS, since they must attest that they “conduct or review a security risk analysis” in accordance with the HIPAA Security Rule. (See definition, below.)

Blog_SecurityRiskAnalysis-FINAL.jpgThere is a lot at stake here. Starting with the 2019 payment year, ACI will make up 25% of the Merit-based Incentive Payment System (MIPS) composite performance score. The security risk analysis is one of five components that make up the base score of 50 points.

Without completion of each of these components, eligible clinicians will receive an ACI score of zero—seriously hurting their chances of achieving an incentive payment, or potentially incurring a penalty.

There is also the possibility that CMS will come back after the fact to conduct post-submission audits and ding providers for not conducting an adequate risk analysis, as it did with the MU program.

Getting this right means not just paying lip-service to the risk analysis. Sound security risk analysis requires an assessment of the organization’s entire operating environment, as well as security policies and procedures. A cursory review of the definition could lead one to believe that it is all about the electronic health record system and encryption of data. But in fact, all electronic protected health information created, received, maintained or transmitted by a provider is subject to the HIPAA Security Rule. This data can exist on the clinic’s network, doctors’ laptops or even on mobile devices.

This analysis cannot be offloaded to the EHR vendor. This is one of CMS’ Top 10 Myths of Security Risk Analysis. MIPS puts the responsibility squarely on the clinician to ensure that a proper security risk analysis has been conducted.

This begs the question: How do physicians and other clinicians attesting to a third party for the first time make sure their organizations are performing a proper security risk analysis?

CMS has provided a Security Risk Assessment Tool that can provide some guidance. However, in physician practices that lack a deep IT bench, answering many of the technical questions might be a struggle.

An effective security risk analysis for a smaller physician practice requires both an understanding of the regulations and the ability to scale the requirements depending on the size and complexity of the organization.

As you and your practice are making your plan for MACRA success, take time now to assess your security risks. Do you have written security and privacy policies? Has the practice conducted a security assessment, and does it cover the whole operating environment—or just the EHR?

Finally, consider whether your internal IT team has the knowledge and capacity to perform the required security risk analysis. If your IT bench is small, then consider your priorities? In some cases, the need to optimize IT systems to meet requirements of the quality performance category (which comprises 60% of the MIPS score in 2019) take precedence.

Rather than divert internal IT resources, consider a qualified independent firm that can either conduct a thorough security risk analysis or review an existing assessment.

For weekly insights into healthcare, please sign up here:

Subscribe to the Healthcare Blog


Ken serves as a senior manager in health care services at HORNE LLP. He concentrates on providing compliance consulting services in the areas of health care billing regulations, privacy regulations and health care internal audit services.

Find me on: