Security Risk Analysis

2026: New for 2026, a second attestation has been added.

MEASURE DESCRIPTION

First, conduct or review a security risk analysis; and second, conduct security risk management activities, in accordance with the requirements under 45 CFR 164.308(a)(1)(ii)(A) and (B). Security risk analysis and management activities include addressing the security of data created or maintained by CEHRT (to include encryption), in accordance with 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). The encryption implementation specified at 45 CFR 164.312(a)(2)(iv) must be implemented if it is reasonable and appropriate; if encryption isn’t reasonable and appropriate, then the MIPS eligible clinician would adopt an equivalent alternative measure if it is reasonable and appropriate to do so.

 Exclusion/Exceptions

None.

 Reporting Requirements

YES/NO

The MIPS eligible clinician must attest “Yes” to the following statements:

• I conducted or reviewed a security risk analysis as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule at 45 CFR 164.308(a)(1)(ii)(A) during the year in which the performance period occurs.

• I conducted security risk management activities as required under the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(B), specifically the implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306.

 Required Measure

Yes, attest yes or cannot report entire PI category.

 Scoring

None

 RESOURCES