Attesting to MIPS? Don’t forget about the Security Risk Analysis

October 11, 2023
Attesting to MIPS Don’t forget about the Security Risk Analysis

It’s your practice’s responsibility to get the SRA done, not your EHR


The Merit-Based Incentive Payment System (MIPS) is a Medicare program that rewards eligible clinicians and groups for providing high-quality, cost-effective care. MIPS is a value-based payment program, which means that it ties payments to performance on quality measures, promoting interoperability, improvement activities, and cost.

Eye care practices are eligible to participate in MIPS, and they can earn financial incentives for performing well on the program’s measures. One of the most important measures in MIPS is the Security Risk Analysis (SRA).

The SRA is a process that helps eye care practices identify and mitigate security risks to their patients’ protected health information (PHI). The SRA must be conducted annually, and MIPS-eligible clinicians must attest to completing an SRA in order to receive a score for the Promoting Interoperability performance category.

There are many reasons why SRAs are important for eye care practices. First, SRAs help practices comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires covered entities to protect the privacy and security of PHI. Second, SRAs can help practices avoid costly and damaging data breaches.

Data breaches can have a significant financial impact on eye care practices. In addition to the direct costs of responding to a breach, practices may also face lost revenue, reputational damage, and liability lawsuits.

SRAs can help eye care practices to avoid data breaches by identifying and addressing security risks. The SRA process involves assessing the practice’s physical, technical, and administrative safeguards and implementing corrective actions to address any identified deficiencies.

In addition to helping practices comply with HIPAA and avoid data breaches, SRAs can also help practices improve their overall security posture. By regularly conducting SRAs, practices can identify and address new security threats as they emerge.

Eye care practices can conduct SRAs on their own, or they can hire a qualified third party to assist them. There are many resources available to help practices conduct SRAs, including the CMS website, the HIPAA Security Rule website, and the ONC website.

Here are some tips for eye care practices conducting SRAs:

  • Go outside of your organization and consult with an expert.
  • Be thorough and comprehensive in your assessment of the practice’s security risks.
  • Assign risk levels based on the likelihood of a threat occurring and the potential impact a threat would have.
  • Using the risk levels to assess priority and implement corrective actions to address any identified deficiencies.
  • Document the SRA process and findings.
  • Review the SRA regularly and update it as needed.


By conducting regular SRAs, eye care practices can protect their patients’ PHI, avoid costly data breaches, and improve their overall security posture.

Need help or have questions? Click here to schedule a complimentary compliance consultation with an expert today!