Published 4/1/2017
Cindy Bracy, MPH, RHIA

ACI and HIPAA Security Risk Assessment Measure Requirement

The base score for ACI equals 50 percent of the overall ACI score and is a mandatory component in order to receive any points within the ACI performance category. Therefore, a MIPS-eligible clinician must report all six base score measures to earn the full base score, and then he or she can earn additional points through the performance score. However, in 2017, the requirements have been reduced during the transition period.

In 2017, to receive the 50 percent base score, MIPS-eligible clinicians must submit the following base score transition measures:
  • Security Risk Analysis
  • e-Prescribing
  • Provide Patient Access
  • Health Information Exchange
  • The additional Measures for Performance Score include:
  • Provide Patient Access – up to 20 percent
  • Health Information Exchange – up to 20 percent
  • View, Download, or Transmit (VDT) – up to 10 percent
  • Patient-Specific Education – up to 10 percent
  • Secure Messaging – up to 10 percent
  • Medication Reconciliation – up to 10 percent
  • Immunization Registry Reporting – 0 or 10 percent
  • The Bonus Score requirements include:
  • Syndromic Surveillance Reporting
  • Specialized Registry Reporting
  • Report certain improvement activities using certified electronic health record technology (CEHRT) – 10 percent

As required by the Health Insurance Portability and Accountability Act (HIPAA), an eligible clinician must conduct a security risk analysis, including addressing the security and encryption of electronic protected health information created or maintained by CEHRT, implement security updates as necessary, and correctly identify security deficiencies as part of the risk management process.

Under the first objective—ie, Protect Patient Health Information, the HIPAA Security Risk Assessment (SRA) must be met starting in 2017. The objective reads as follows: Objective: Protect Patient Health Information. Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards. Security Risk Analysis Measure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process.


We (CMS) proposed that a MIPS eligible clinician must meet this objective and measure to earn any score within the advancing care information performance category. Failure to do so would result in a base score of zero under either the primary proposal or alternate outlined proposal, as well as a performance score of zero (discussed in section II.E.5.g. of the proposed rule (81 FR 28215) and an advancing care information performance category score of zero. According to Andy Slavitt, acting administrator, Centers for Medicare & Medicaid Services, and Karen DeSalvo, MD, national coordinator, Office of the National Coordinator for Health IT, the goal of ACI is to “support the vision of a simpler, more connected, less burdensome technology. Compared to the existing Medicare Meaningful Use program for physicians, the new approach increases flexibility, reduces burden, and improves patient outcomes.” Cindy Bracy, MPH, RHIA, is manager, practice resources, in the AAOS Office of Government Relations. She can be reached at bracy@aaos.org

Meaningful Use to MIPS
Keep these points in mind during the transition from Meaningful Use to MIPS:

  • During the transition year, CMS will award a bonus score for improvement activities that utilize CEHRT and for reporting to public health or clinical data registries.
  • In 2017, utilization of 2014 CEHRT or a combination of 2014 and 2015 CEHRT is permitted. In 2018, only use of systems complying with 2015 CEHRT standards will be permitted. Therefore, it is important to verify if your electronic health record is or will be certified according to 2015 standards by or before 2018.