How to Ensure HIPAA Compliance in MIPS Reporting: Requirements and Best Practices

Conducting HIPAA Security Risk Analysis

Why the Security Risk Analysis matters

A documented Security Risk Analysis (SRA) is the foundation of HIPAA compliance and directly supports MIPS Promoting Interoperability measures. By evaluating how you create, receive, maintain, and transmit electronic protected health information (ePHI), you safeguard ePHI confidentiality, integrity, and availability while satisfying key attestation elements.

Scope and inventory

Define the full scope of systems and data flows that touch ePHI, including CEHRT, imaging systems, patient portals, billing, telehealth, mobile devices, and cloud services. Inventory users, locations, interfaces, and third parties to ensure no ePHI repositories are missed.

Risk methodology and documentation

• Identify threats and vulnerabilities across people, process, and technology.
• Assess likelihood and impact to produce a risk rating for each scenario.
• Map existing safeguards and gaps; prioritize remediation based on risk.
• Create a written risk register and risk management plan with owners and timelines.

Retain evidence of the SRA, remediation activities, and leadership approval. Reassess after major changes, incidents, or at least once during each performance period.

Common pitfalls to avoid

• Limiting the SRA to the EHR only rather than all ePHI systems and workflows.
• Completing an SRA without implementing and tracking remediation steps.
• Insufficient documentation of decisions, especially around encryption and access controls.

Meeting MIPS Performance Improvement Requirements

Align privacy and security with performance strategy

Integrate HIPAA activities into your approach for Quality, Promoting Interoperability measures, Improvement Activities, and Cost. Select measures that fit your clinical reality, set clear baselines and targets, and connect interventions to measurable outcomes.

Operationalize continuous improvement

• Use short Plan–Do–Study–Act cycles to test workflow changes and close care gaps.
• Embed privacy and security checkpoints into measure workflows (e.g., access reviews for users submitting data).
• Track progress on dashboards, review variances monthly, and document decisions for audit readiness.

Evidence clinicians can point to

Maintain artifacts such as training logs, policy updates, SRA remediation trackers, and meeting minutes that show a sustained performance improvement program tied to MIPS requirements.

Ensuring Data Completeness in Quality Reporting

Define the eligible population correctly

Verify that measure denominators include all applicable encounters and payers as required by CMS rules. Confirm provider attribution, site inclusion, and telehealth handling so no qualifying data is omitted.

Map data precisely to measure logic

• Validate code sets (CPT, ICD-10-CM, SNOMED CT, LOINC, RxNorm) and value sets used by your CEHRT or registry.
• Check that workflows capture needed data elements in structured fields, not notes.
• Reconcile exclusions, exceptions, and numerator events with clinical documentation.

Perform rigorous validation

• Run patient-level drilldowns to spot missing data, duplicates, or mapping errors.
• Compare preliminary results to prior periods; investigate outliers and sudden shifts.
• Document findings and remediation steps to support audit requests.

Utilizing Certified Electronic Health Record Technology

Confirm CEHRT certification criteria and version

Ensure your EHR and related modules meet applicable CEHRT certification criteria for the performance year. Track product name, version, and unique identifiers so you can confidently attest and resolve questions quickly.

Leverage CEHRT capabilities for reporting

• Enable features that support Promoting Interoperability measures, such as e-prescribing, clinical data exchange, and patient access.
• Use CEHRT outputs (logs, dashboards, measure exports) to validate quality results and submission files.
• Coordinate with your vendor on upgrades, interfaces, and any customizations that could affect certified functionality.

Strengthen data exchange and resilience

Test key interfaces, error handling, and data reconciliation before and during the reporting period. Establish fallback procedures for downtime so required data is still captured and available for submission.

Implementing Data Protection and Encryption Measures

Apply practical controls that stand up to scrutiny

• Encrypt ePHI in transit and at rest wherever reasonable and appropriate; if alternatives are used, document risk-based justifications to meet Data encryption requirements.
• Use strong authentication (e.g., MFA), least-privilege access, and prompt termination of access for role changes.
• Enable audit logging on CEHRT and critical systems; review logs routinely and retain them per policy.

Secure devices, backups, and keys

• Encrypt laptops and mobile devices; manage endpoints and removable media.
• Maintain tested, secure backups with defined recovery objectives; protect backups from tampering.
• Manage encryption keys with rotation, restricted access, and documented procedures.

Prepare for incidents

Implement an incident response plan, practice it, and document every event. Post-incident reviews should update your SRA, policies, and technical safeguards to reduce recurrence.

Managing Attestation and Reporting Periods

Plan the year and prevent last-minute risk

• Set an internal calendar for data capture, validation, and approvals well ahead of the CMS submission window.
• Assign clear roles for clinical leads, compliance, IT, and revenue cycle to avoid bottlenecks.

Execute the CMS attestation process with confidence

• Gather required artifacts: SRA documentation, CEHRT identifiers, measure screenshots, export files, policies, and Business Associate Agreements.
• Choose your submission method (e.g., portal, registry, or EHR) and run test submissions when available.
• Retain submission confirmations and a complete evidence package for audit readiness.

Handle changes and exceptions

If circumstances warrant reweighting or hardship exceptions, document the rationale and follow applicable steps within the defined timelines for the performance year.

Establishing Business Associate Agreements

Know when BAAs are required

Any vendor or partner that creates, receives, maintains, or transmits ePHI on your behalf is a business associate. Business Associate Agreements set expectations for ePHI confidentiality and required safeguards across your vendor ecosystem.

Include essential clauses

• Permitted uses and disclosures of ePHI and minimum necessary standards.
• Administrative, physical, and technical safeguards, including encryption and access controls.
• Breach reporting timelines, cooperation, and documentation duties.
• Subcontractor flow-down requirements and right-to-audit provisions.
• Termination, data return or destruction, and continuity obligations.

Manage vendors over time

• Keep an up-to-date vendor inventory mapped to services, data flows, and BAAs.
• Review BAAs periodically and when services or risk profiles change.
• Collect security attestations and remediate gaps through action plans.

Key takeaways

• Complete and document an SRA, then drive remediation to closure.
• Use CEHRT aligned to current certification criteria and validate data completeness.
• Implement strong encryption, access, and monitoring controls.
• Plan early for the CMS attestation process and maintain airtight evidence.
• Strengthen Business Associate Agreements and vendor oversight.

FAQs.

What is required for HIPAA Security Risk Analysis in MIPS reporting?

You need a documented Security Risk Analysis covering all systems and workflows that interact with ePHI, a risk management plan with prioritized remediation, and evidence that you implemented and tracked safeguards. The SRA should be current for the performance period and include inventories, risk ratings, mitigation steps, and leadership sign-off.

How does CEHRT impact MIPS measure reporting?

CEHRT enables required data capture, exchange, and measurement for Promoting Interoperability and supports accurate Quality submissions. Using technology that meets CEHRT certification criteria ensures you can produce valid measure outputs, export files, logs, and identifiers needed for attestation and audits.

What are the attestation requirements for MIPS compliance?

You must submit measures and attestations through the chosen channel, provide CEHRT details, and confirm activities such as completing the SRA. Maintain screenshots, reports, and policies as proof, and follow the CMS attestation process and timelines applicable to your performance year.

How can clinicians protect patient data during MIPS reporting?

Capture data in structured CEHRT fields, limit access via least privilege and MFA, encrypt data in transit and at rest, monitor audit logs, and use secure workflows for exports and submissions. Maintain current Business Associate Agreements and fold these practices into your ongoing risk management program.