Skip to main content
Kareo and PatientPop are now Tebra. Becoming Tebra will take time and we appreciate your patience as we transition to the new brand experience.Learn More
Tebra Help Center

Protect Patient Health Information

  1. Last updated
  2. Save as PDF
Updated: 06/15/2023|Views: 1282

You must conduct or review a security risk analysis on your 2015 Edition CEHRT functionality on an annual basis, within the calendar year of the performance period. And, starting in 2022, you must also conduct an annual self-assessment using the High Priority Practices Guide (a part of the SAFER Guides), within the calendar year of the MIPS performance period. The SAFER guides help identify recommended /best practices to optimize the safety and safe use of EHRs and further enable the electronic exchange of health information.

Security Risk Analysis

Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

To meet this measure, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.

There are several options to complete this measure, including:

  • You may complete the Security Risk Assessment Tool (SRA Tool) found on the HealthIT website.
  • You may hire a vendor
  • You may do the research and complete the security risk analysis on your own; making sure that it meets the requirements described in the measure specification

Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards. For auditing purposes, keep a copy of your security risk analysis in your MIPS Audit Folder.

Attestation:  Yes / No
Performance Score Weight: Zero points. This measure will not be scored, but it is mandatory.
Additional Information: Failure to perform the security risk analysis will result in a total score of 0 points for the Promoting Interoperability performance category.

SAFER Guide Review

High Priority Practices Guide of the Safety Assurance Factors for EHR Resilience (SAFER) Guides Conduct an annual assessment of the High Priority Practices Guide SAFER Guide.


The MIPS eligible clinicians must attest YES or NO to conducting an annual self-assessment of the High Priority Practices Guide of the SAFER Guides in the 2023 performance period.

To Get Started:
  • Go to: https://www.healthit.gov/topic/safety/safer-guides
  • Complete the activities required by the Security Risk Analysis and High Priority Practices SAFER Guide and select “Yes” on the Promoting Interoperability Dashboard to indicate completion.
  • To complete the High Priority Practices Guide self-assessment, MIPS eligible clinicians are expected to fill out the checklist and practice worksheet at the beginning of the guide.
Attestation:  Yes / No
Performance Score Weight: Zero points. This measure will not be scored, but it is mandatory.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. MIPS
    2. protect patient health
    3. security risk analysis