Understanding the Promoting Interoperability Annual HIPAA Risk Assessment Requirement

CMS finalized changes to the Medicare Promoting Interoperability Program for eligible hospitals, office-based physicians and small business medical providers in the fiscal year 2022. The new policies will advance the utilization of certified electronic health record technology (CEHRT). Additionally, it will increase interoperability and ease of access for patients to their health information. As a small business in the health sector or an office-based physician, you require the services of a reliable risk assessment provider.

Electronic Health Record (EHR) Reporting Period in 2022

All participants attesting to CMS have a minimum reporting period of 90 days. To avoid a downward Medicare payment adjustment, all eligible medical practitioners and medical services providers should attest.


To avoid a downward payment adjustment, eligible participants may use any of the three criteria;

  1. Existing 2015 edition certification
  2. 2015 edition cures update
  3. Both of the above

On the first day of EHR reporting, the CEHRT functionality must be implemented and the product certified by the last day. For the entire reporting period, the eligible medical service provider/ practitioner must use the version functionality they choose.
Medicare Promoting Interoperability Program participants must also attest to the following:

  • Security Risk Analysis measure
  • Safety Assurance Factors for EHR Resilience (SAFER) Guides measure
  • Actions to limit or restrict the compatibility or interoperability of CEHRT attestation
  • Office of the National Coordinator for Health Information Technology (ONC) Direct Review Attestation

Scoring Methodology

Eligible health services providers should report the measures they implement and their performance according to the objectives to contribute to their total Medicare promoting interoperability program score. The scoring requirement minimum is 60 points for successful attestation.

Security Risk Analysis Measure

Security risk analysis measures ensure the safe delivery of patient health data. It remains one of the Medicare Promoting Interoperability Program requirements for all eligible medical practitioners, office-based physicians and health services providers.

For successful attestation, eligible health providers must complete and review actions in the security risk analysis measure annually during the HER reporting period.

What does the Security Risk Analysis Measure Entail?

  • Conducting or reviewing security risk analysis of CEHRT. It includes encryption, securing data, and implementing updates as required annually.
  • When installing or upgrading a new system, you must conduct an analysis and review to cover the specific EHR period. If any deficiencies are noted, they must be included in the facility’s management process, and you should follow the proper correction procedure.
  • An organization may conduct security risk analysis outside an EHR reporting period under certain conditions; the analysis must be specific to the reporting period, cover the entire reporting period, and be conducted between January 1st -December 31st.
  • Under 45 CFR 164.308(a), security risk analysis must assess an organization’s potential risks of ePHI created, received, maintained, or transmitted. The risks and vulnerabilities include; confidentiality, availability, and data integrity. It includes information on all electronic media, storage devices, and portable devices.

PI Provider Incentive Payment (PIP)

The PIP is a federal program that offers financial support to eligible hospitals, CAHs, office-based physicians and medical services providers. The payment incentive is to assist these providers in utilizing certified PI technology they implement to their full potential to provide the

best health care services. The goals of PIP are; improving the outcomes, facilitating access, simplifying care, and reducing the cost of health care. The goals are achieved by;

  • Enhancing care coordination and patients’ safety
  • Reduction of paperwork, which improves efficiency
  • Facilitation of information sharing across the providers, payers, and state lines
  • Health Information Exchange (HIE) and National Health Information Network (NHIN) can easily communicate health information to authorized users.

Guidance on Risk Analysis

The National Institute of Standards and Technology (NIST) developed the NIST HIPAA Security Toolkit Application to help organizations get a better understanding of the requirements of the HIPAA security rule. As an organization, some of the ways to comply with HIPAA security rules are;

  • Identifying the e-PHI that you create, receive, maintain or transmit within your organization
  • Identifying the external sources of your e-PHI, for example, vendors or consultants.
  • Identifying the human, natural and environmental threats to the information systems that hold your organization’s e-PHI


Adequate preventative risk assessment is paramount for every small business in the health sector and office-based physicians. Effective risk assessment shows potential areas where your business may be putting PHI at risk, thus helping you to protect and grow your business therefore, you must entrust this responsibility to only the best. At PAPAYA, we understand that risk assessments can be costly, time-consuming, and even confusing. Let us handle your annual risk assessment with the utmost professionalism and ease to ensure your business remains PIP compliant for you to enjoy financial aid. Contact us today to simplify security and compliance without sacrificing quality.