Skip to main content


Kareo Help Center

Protect Patient Health Information

Updated: 10/21/2019
Views: 837

Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Security Risk Analysis Measure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

There are several options to complete this measure, including:

  • You may complete the Security Risk Assessment Tool (SRA Tool) found on the HealthIT website.
  • You may hire a vendor
  • You may do the research and complete the security risk analysis on your own; making sure that it meets the requirements described in the measure specification
  • Maintain a copy in a MIPS Audit Folder
Attestation:  Yes / No
Performance Score Weight: Zero points. This measure will not be scored, but it is mandatory.


  • Was this article helpful?