Confused about the new MIPS Promoting Interoperability (PI) category High Priority Safety Assurance Factors for EHR Resilience (SAFER) Guide attestation? You're not alone. We have been getting a lot of questions on this new requirement.
For more information about 2022 MIPS, check out our blog article on the major changes for 2022 MIPS.
Why is the High Priority SAFER Guide Now a Required Attestation?
Since 2018, cyberattacks on the US healthcare system have more than doubled. Over the last two years specifically, hacking incidents targeted at outpatient facilities and specialty clinics increased dramatically (by 41% in 2021 compared to 2020). In short, cybercriminals are focused on the healthcare sector and have been shifting their focus away from major hospitals and towards outpatient offices.
Cyberattacks cost the US healthcare system over $20 billion a year and have compromised the data of over 45 million people. Unfortunately, this growing trend of cyberattacks on healthcare does not seem to be ending anytime soon.
Over the past few years, these attacks have also grown more sophisticated, with more than a 16% increase in the average cost to recover each patient record in 2020 over 2019. The average healthcare ransomware payment is $131,304. Of those who pay the ransom, 69% do not recover their data. Services promising data recovery for those who choose not to pay, or pay and recover nothing, start at $15,000.
The possibility of loss of data, extended downtime due to lack of access and violation of privacy for patients make the resiliency of EHR systems vitally important to healthcare providers. The SAFER guide attestation helps organizations to actively prepare for cybersecurity breaches and attacks.
For Whom is the High Priority SAFER Guide Attestation Required?
Anyone reporting MIPS PI or in the Promoting Interoperability Programs. Even if you receive a PI hardship, consider performing this annual review anyway to avoid some of the staggering costs associated with cyberattacks.
For the 2022 performance year only: All that is required is attesting ("yes" or "no") to the SAFER Guide attestation statement.
What is Required to Attest "Yes"?
You must complete the High Priority Practices SAFER guide. This does not require you or your organization to immediately implement all of the recommended practices mentioned in the guide. It does require that you complete the SAFER guide worksheet, that your organization's practices have been evaluated, and that any potential practical and beneficial changes are known and documented.
Important Note: The SAFER Guide requirement is separate from the HIPAA Security Risk Analysis (SRA) requirements. The SAFER Guide does not fulfill the HIPAA requirement to complete an annual SRA.
How to Complete the High Priority SAFER Guide
Completing the High Priority SAFER Guide entails completing a checklist of how aligned your organization is with high priority recommended practices using the following scale:
- Fully in all areas
- Partially in some areas
- Not implemented
Each recommended practice has an associated worksheet for note-taking and for identifying any actions you may need to take to make your practice more secure. These worksheets also include examples of what the implementation of the recommended practices might require.
While this might, at first, seem like a daunting task -- the guide consists of 18 "recommended practices" -- the guide is actually well laid out and fairly straightforward.
The documents are downloadable & shareable, meaning that your team can collaborate on these documents easily and in their own time.
Generally, the guide assesses many areas of readiness. Some specific examples in the SAFER Guides for recommended practices will not be relevant to every practice or provider. You are only required to assess those recommended practices and dimensions relevant to you or your organization. The intent of this requirement is for MIPS eligible clinicians to regularly assess their progress and status on important facets of patient safety.
Domain 1: Safe Health IT
The first domain will likely require collaboration with your EHR vendor. One way to do this is email these questions to your contact at your EHR vendor and ask for an update on their utilization of these recommended practices. Make sure to check the worksheets associated with the recommended practices for any additional detail you may need.
Domain 2: Using Health IT Safely
This domain requires you to evaluate how you use the health IT in your office. To complete the worksheets for this domain, you will have to communicate with all members of your practice who use the EHR and/or other health IT or have all of those practice members fill out this portion based on their own personal use and experience.
This domain consists of evaluating policies, practices and procedures. The person who completes the HIPAA SRA can complete this on their own. If someone else is in charge of completing this SAFER Guide, they will likely need to complete this section in collaboration with your practice’s HIPAA security officer.
If you are unsure about the implementation of a recommended practice, simply check the worksheet for that dimension and look for “sources of input” in the upper right corner. This outlines who in your organization who might know more.
- Share this information with your colleagues.
- Subscribe to our newsletter to get alerts on this and other important issues. You can subscribe using the field in our website footer below.
- If you are a MarsdenAdvisors client
- If you have not already done so, schedule your 2022 kickoff call and watch the pre-kickoff presentation.
- Contact your Client Success Manager if you have any questions.
- If you are not a MarsdenAdvisors client
- Contact us to learn more about our MIPS Success Plan and to reap the rewards of our combined decades of experience.
If you have any questions on this, let us know!