MIPS Tips No. 3: HIPAA Compliance & Risk Analysis

Introduction to MIPS

Are you ready for MIPS? Join us as we explore the next topic in our MIPS Tips series. This month, we will be focusing on HIPAA compliance and risk analysis assessments and why they are essential to MIPS. Let’s refresh on what we know so far. 

MIPS, or Merit-Based Incentive Payment System, is a value-based payment model that will link payments to quality and cost-efficient care1—in other words, your patients’ perception of the care they receive will be vital to your practice’s wellbeing. With this new program comes a number of new requirements for clinicians to make in regard to their practice and the care they provide to patients.

How MIPS Is Measured

Participation in MIPS is based on four areas of measurement: Quality, Improvement Activities, Cost, and Promoting Interoperability:

  • Quality – 40% of your final score. 
  • Improvement – 15% of your final score.  
  • Cost – 15% of your final score.
  • Promoting Interoperability –  25% of your final score. 

If you would like to learn more about each different area of measurement, please refer to the first post in our MIPS Tips series. 

For the purpose of this post, we will be focusing on Promoting Interoperability and how it relates to HIPAA compliance. When participating in MIPS, Promoting Interoperability is divided into five steps2

  • Understanding your reporting requirements.
  • Reviewing the CEHRT requirements. 
  • Reviewing the measures and performance period requirements. 
  • Performing or reviewing a security risk analysis.
  • Submitting data. 

You must follow these steps to align with Promoting Interoperability as it will impact your final score.

Understanding Your Risk 

Risk analysis plays a vital role in Promoting Interoperability, and ultimately, how you are scored. A comprehensive review of potential risks as a practice should be completed annually or within the performance period that data is being submitted.2 A risk analysis assessment is required as part of Promoting Interoperability. This analysis should outline your risks relating to confidentiality, integrity, and availability of electronic protected health information.3

For clinics to be considered HIPAA compliant, a risk analysis and a series of mandated HIPAA audits have to be completed.4 According to Frank Sivilli’s article “MACRA Measures, MIPS Measures, and HIPAA Compliance,” “Addressing HIPAA compliance will not only help you attest for MIPS and benefit from higher Medicare incentives, but will allow you to run your business without fear of audits and government fines.4

The Benefits of a Risk Analysis Assessment

There are a number of benefits to completing a risk analysis assessment—whether you currently participate in MIPS or not. This assessment could shed light on issues related to encryption and security of data—leading to the implementation of new strategies to be HIPAA compliant. It could also help you plan the steps your practice will take each year to improve. 

Prepare your practice for what lies ahead by completing a risk analysis assessment to prepare for MIPS and ensure you are HIPAA compliant.

Create an account with MeyerPT today or contact your personal account manager at 1.866.528.2144 for more information.


1“Merit-Based Incentive Payment System (MIPS) Overview.” QPP, qpp.cms.gov/mips/overview.

2“Promoting Interoperability Measures Requirements.” QPP, https://qpp.cms.gov/mips/promoting-interoperability?py=2020.

3HHS Office of the Secretary, Office for Civil Rights, and Ocr. “Guidance on Risk Analysis.” HHS.gov, US Department of Health and Human Services, 22 July 2019, www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?language=es.

4Sivilli, Frank. “MACRA Measures, MIPS Measures, and HIPAA Compliance.” Compliancy Group, Compliancy Group, 7 Nov. 2019, compliancy-group.com/macra-measures-mips-measures-hipaa-compliance/.

Recommended Products from PT Aligned