Although a Security Risk Analysis (SRA) is not a Promoting Interoperability (PI) stand-alone measure this year, MIPS eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.
Failure to complete these required actions will result in no score for the PI category.
It is acceptable for the SRA to be conducted or reviewed outside the performance period; however, the analysis must be unique for each performance period, include the full MIPS performance period and it must be conducted with the current calendar year.
Furthermore, an analysis must be completed when 2015 Edition CEHRT is implemented or upon installation or upgrade to a new system. For more details, review the 2019 MIPS Promoting Interoperability - Security Risk Assessment fact sheet.