The Promoting Interoperability Measure That Could Cost You 25 Points

It is a scoreless prerequisite and a seemingly harmless checkbox but the Security Risk Analysis (SRA) measure is still one of the top ways to fail an audit. Failing to complete this measure results in ZERO Promoting Interoperability points, regardless of your performance in the other category objectives. Unfortunately for many individual or small practice reporters, the SRA is widely overlooked. 

To make sure you don’t make the same mistake, here are seven important SRA facts to keep you compliant.

1. An SRA is not completed within your EHR or by the EHR company. It’s your responsibility.

2. It’s about more than the EHR – it’s about ePHI across the entire office and all of its systems, policies, and processes.

3. To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a Security Risk Analysis and implementing security updates as necessary and correcting identified security deficiencies.

4. There are three main components to conducting an SRA: review the administrative, technical, and physical safeguards in place at your institution.

5. An analysis must be done upon installation or upgrade to a new system and a review must be conducted each MIPS performance period. 

6. Any security updates and deficiencies that are identified should be included in the clinician's risk management process and implemented or corrected as dictated by that process.

7. Failure to complete the required actions for the Security Risk Analysis will result in a score of zero points for the Promoting Interoperability performance category, regardless of whether other measures in this category are reported.

A Security Risk Analysis can be done by someone like us, your IT vendor, or even yourself. It can be time consuming and failing to document compensatory controls for things like addressable items is considered bad practice and will literally cost you points and ultimately dollars. 

CHIRPY BIRD INC CAN HELP!

We offer a comprehensive 137-point check of your administrative, physical, and technical safeguards. We provide you with all of the documentation, reports, and policies you will need to fully comply with CMS MIPS policy guidelines! These policies are not fill-in-the-blank templates - they are tailored specifically for your practice. A Chirpy Bird regulatory specialist will review the results with you and let you know exactly what you may need to do in order to close any compliance gaps or resolve any deficiencies. 

The SRA is required to be updated or completed on or before December 31, 2021!

Call us today to schedule your SRA.