New Requirement: MIPS SAFER Guide Explained

Confused about the new MIPS Promoting Interoperability (PI) category High Priority Practices Safety Assurance Factors for EHR Resilience (SAFER) Guide attestation? You’re not alone. We have been getting a lot of questions on this new requirement.

In this article we explain why the SAFER Guide measure is now required, how to determine your best course of action, and what the SAFER Guide measure entails.

Beginning with MIPS performance year 2024, completing this guide is a requirement for the PI category of MIPS. For more information about 2024 MIPS, check out our blog article on the major changes for 2024 MIPS.

Why is the High Priority SAFER Guide Now a Required Attestation?

Since 2018, cyberattacks on the US healthcare system have more than doubled. Over the last several years, hacking incidents targeted at outpatient facilities and specialty clinics increased dramatically (by 41% in 2021 compared to 2020). The FBI reports 249 ransomware attacks against health care and public health organizations in 2023. In short, cybercriminals are focused on the healthcare sector and have been shifting their focus away from major hospitals and towards outpatient offices.

Cyberattacks cost the US healthcare system over $20 billion a year and have compromised the data of over 45 million people. Unfortunately, this growing trend of cyberattacks on healthcare does not seem to be ending anytime soon.

Over the past few years, these attacks have also grown more sophisticated, with more than a 16% increase in the average cost to recover each patient record in 2020 over 2019. The average healthcare ransomware payment is $131,304. Of those who pay the ransom, 69% do not recover their data.

The possibility of loss of data, extended downtime due to lack of access and violation of privacy for patients make the resiliency of EHR systems vitally important to healthcare providers. This has been exemplified by the recent Change Healthcare cyberattack. The SAFER guide attestation helps organizations to actively prepare for cybersecurity breaches and attacks.

For Whom is the High Priority SAFER Guide Attestation Required?

Anyone reporting MIPS PI or in the Promoting Interoperability Programs (hospital PIP participants must do all nine SAFER Guides). Even if you receive a PI hardship, consider performing this annual review anyway to avoid some of the staggering costs associated with cyberattacks.

Beginning with the 2024 performance year: You must attest “yes” to completing the High Priority Practices SAFER Guide self-assessment.

What is Required to Attest “Yes”?

You must complete the self-assessment portion of the High Priority Practices SAFER Guide. This does not require you or your organization to immediately implement all of the recommended practices mentioned in the guide. It does require that you complete the High Priority Practices SAFER Guide self-assessment checklist, that your organization’s practices have been evaluated, and that any potential practical and beneficial changes are known and documented.

Important Note: The SAFER Guide requirement is separate from the HIPAA Security Risk Analysis (SRA) requirements. The SAFER Guide does not fulfill the HIPAA requirement to complete an annual SRA.

How to Complete the High Priority SAFER Guide

Completing the High Priority Practices SAFER Guide entails completing a checklist of how aligned your organization is with high priority recommended practices using the following scale:

  • Fully in all areas
  • Partially in some areas
  • Not implemented

Each recommended practice has an associated worksheet for note-taking and for identifying any actions you may need to take to make your practice more secure. These worksheets also include examples of what the implementation of the recommended practices might require.

While this might, at first, seem like a daunting task — the guide consists of 18 “recommended practices” — the guide is actually well laid out and fairly straightforward.

The documents are downloadable & shareable, meaning that your team can collaborate on these documents easily and in their own time.

Generally, the guide assesses many areas of readiness. Some specific examples in the SAFER Guides for recommended practices will not be relevant to every practice or provider. You are only required to assess those recommended practices and dimensions relevant to you or your organization. The intent of this requirement is for MIPS eligible clinicians to regularly assess their progress and status on important facets of patient safety.

Domain 1: Safe Health IT

The first domain will likely require collaboration with your EHR vendor. One way to do this is email these questions to your contact at your EHR vendor and ask for an update on their utilization of these recommended practices. Make sure to check the worksheets associated with the recommended practices for any additional detail you may need.

Domain 2: Using Health IT Safely

This domain requires you to evaluate how you use the health IT in your office. To complete the worksheets for this domain, you will have to communicate with all members of your practice who use the EHR and/or other health IT or have all of those practice members fill out this portion based on their own personal use and experience.

Domain 3

This domain consists of evaluating policies, practices and procedures. The person who completes the HIPAA SRA can complete this on their own. If someone else is in charge of completing this SAFER Guide, they will likely need to complete this section in collaboration with your practice’s HIPAA security officer.

If you are unsure about the implementation of a recommended practice, simply check the worksheet for that recommended practice and look for “sources of input” in the upper right corner. This outlines who in your organization might know more.

Next Steps
  • Share this information with your practice colleagues.
  • Subscribe to our blog to get alerts on this and other important issues. You can subscribe using the field in our website footer below.
  • If you are an Anatomy IT client
    • Contact your MIPS Expert if you have any questions.
  • If you are not an Anatomy IT client
    • Contact us to learn more about our MIPS Success Plan and to reap the rewards of our combined decades of experience.

If you have any questions on this, let us know!