Protect Electronic Health Information: Security Risk Analysis – REQUIRED FOR 2018 REPORTING
| What the objective requires | What that means for you | Is this objective required? |
|
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies. Every year, the Security Risk Analysis Template below needs to be completed or reviewed during your reporting period (you may choose to complete the other templates listed for added security). Store your completed template(s) in a safe place in case you are ever audited. Security Risk Analysis Template |
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process. |
Yes. Required for Base Scoring. MIPS eligible clinicians must fulfill the requirements of base score measures to earn a base score in order to earn any score in the Advancing Care Information performance category. In addition to the base score, MIPS eligible clinicians have the opportunity to earn additional credit through the submission of performance measures and a bonus measure and/or activity. IMPORTANT: IMPORTANT: You may only exclude measures that you are eligible to exclude per CMS. It is your responsibility to read and understand CMS's exclusion criteria for each measure outlined in this manual and to claim only the exclusions that are applicable to your practice. |
Reporting Requirements
YES/NO
To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Scoring Information
BASE SCORE/PERFORMANCE SCORE/BONUS SCORE
Required for Base Score: Yes
Percentage of Performance Score: 0
Bonus Score: One-time bonus of 10% for MIPS eligible clinicians and groups who report using 2015 Edition CEHRT exclusively for the 2018 performance period and report only Advancing Care Information measures.
How ChiroTouch Helps You Do This
You must complete or review a Risk Analysis and Risk Management template (include signature and date on this doc for compliance) within the date range to meet compliance. You can complete this through the ChiroTouch Online Manual.
Step I, print and complete the Risk Assessment and Risk Management templates.
Step II, indicate on your ChiroTouch system through the QPP Dashboard that the review was completed.
Step I
Access the Security Risk Analysis and complete:
- Click the Security Risk Analysis Template link above to print and/or download.
- Complete the Risk Assessment and Risk Management templates (both found under Security Risk Analysis Template link above) during the reporting period by answering all questions present. (You will find ChiroTouch Information available for questions that involve aspects of your system related to security, however you must completely fill out this document even where ChiroTouch Information exists.)
- Have your administrator sign and apply the appropriate date matching the date range that you plan to attest to (If you change your date range at any time during the calendar year you must re-date this document to match the date range you plan to attest to).
- Save for at least seven years, in the event of a QPP audit you must provide this document as proof that you completed the measure.
Step II
Indicate that you have completed this measure through your QPP Dashboard:
- Open the QPP Dashboard from the ChiroTouch Launcher.
- Click the Promoting Interoperability Wizard button in the menu ribbon to launch the Wizard.
- In the QPP Wizard, click Security Risk Analysis in the Advance Care Objectives navigation pane on the left.
- If your Risk Analysis and Risk Management templates have been completed entirely (or a review of the information has been complete) add a checkmark next to each of the three templates listed below Completed (Only the first, “Security Risk Analysis”, is requested at the time of audit. You may choose to complete all three to aid with the security of your clinic).
- Click Apply Changes to the bottom of the window.
- Click the Finish button to close the QPP Wizard.
- In your QPP Dashboard, review the Protect Electronic Health Information: Security Risk Analysis measure to confirm your compliance.
CRITICAL: Click the title of the template you are trying to complete to access it. You are responsible to print and complete each template and to keep a copy on file in your records. In the event of an EHR audit, the auditors will require you to provide the completed templates to prove your compliance with this measure. Therefore you should not proceed to the next step until you have actually completed the work required for each template.
Optional Documentation
Sanction Policy Template – This document states that all employees are aware of your security policies. You may choose to print and require all staff sign.
Information System Activity Review – Can be used to log all audits of your CEHRT system completed during your reporting period and beyond.
ATTESTATION REQUIREMENTS
Eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
ADDITIONAL INFORMATION
MIPS eligible clinicians can report the Advancing Care Information objectives and measures if they have technology certified to the 2015 Edition, or a combination of technologies from the 2014 and 2015 Editions that support these measures.
In CY 2018, a one-time bonus will be earned by MIPS eligible clinicians and groups who report using 2015 Edition CEHRT exclusively.
Actions included in the numerator must occur within the performance period.
This measure contributes to the 50% base score for the Advancing Care Information performance category. MIPS eligible clinicians must submit a “yes” for the security risk analysis measure, and at least a 1 in the numerator for the numerator/denominator of the remaining measures or claim exclusions. More information about Advancing Care Information scoring is available on the QPP website.
A MIPS eligible clinician must meet this objective and measure to earn any score within the advancing care information performance category. Failure to do so will result in a base score of zero as well as a performance score of zero and an advancing care information performance category score of zero.