Frequently Asked Questions

  ADA/508 friendly site


For the Protect Patient Health Information (ePHI) objective, can the security risk analysis or review take place outside the MIPS performance period.

Yes, it is acceptable for the security risk analysis to be conducted outside the MIPS performance period; however, the analysis must be conducted for the certified EHR technology used during the MIPS performance period and the analysis or review must be conducted on an annual basis. In other words, the MIPS eligible clinician or group must conduct a unique analysis or review applicable for the MIPS performance period and the scope of the analysis or review must include the full MIPS performance period. The analysis or review for the color: MIPS performance period must be conducted prior to the date of submission or attestation.

Was this answer helpful?