How the Promoting Interoperability Program Affects Healthcare Security

The Centers for Medicare & Medicaid Services (CMS) has increased the security compliance expectations for hospitals participating in the Promoting Interoperability (PI) Program, the successor to the Meaningful Use initiative. This brings changes for eligible hospitals and Critical Access Hospitals (CAHs), including shifting from conducting a Security Risk Analysis (SRA) to also requiring active Security Risk Management (SRM). This reflects CMS’s initiative to identify cybersecurity risks and reduce the threats to protect electronic protected health information (ePHI).

Key Takeaways

• The CMS Promoting Interoperability Program raises security expectations, requiring hospitals to shift from solely conducting Security Risk Analysis to also implementing Security Risk Management processes.
• Implementing these mitigation strategies poses significant challenges, including managing complex healthcare environments, addressing resource constraints, and aligning IT with administrative governance.
• Healthcare practices must prioritize cybersecurity as an operational priority to enhance patient safety and streamline operations.

Promoting Interoperability Program

The Promoting Interoperability Program is part of CMS’s broader strategy. It aims to advance the effectiveness of Certified Electronic Health Record Technology (CEHRT) by improving interoperability and facilitating secure patient access to health information.

Healthcare entities participating in the program must comply with a range of outlined requirements. Under prior guidelines, eligible hospitals had to attest that they conducted or reviewed a security risk analysis of their CEHRT, including encryption and other security measures, and implemented necessary updates or corrections at least once during the reporting year. Practices that fail to meet the outlined requirements may face financial penalties or loss of PI performance credit.

Frameworks to Improve Healthcare Security

SAFER Guidelines

As an EHR-specific safety checklist and a best cyber-hygiene practice for healthcare organizations, the SAFER Guides serve as a roadmap toward compliance, helping practices mitigate errors, improve patient care, reduce malpractice risks, and enhance data protection.

The SAFER Guides are a requirement component of the PI program, meaning hospitals and clinicians must attest to completing the checklist. The digital landscape continues to evolve, making continuous improvement and agility crucial. The CMS released updates to the SAFER Guides, incorporating AI and evolving compliance components into the checklist. This will go into effect for the 2026 assessment year.

Three key considerations for CIOs in 2026 as updated SAFER Guides requirements take effect:

1. Maintain Governance of AI in Clinical Workflows: With AI now explicitly incorporated into the SAFER Guides, CIOs need to establish strong governance frameworks around AI tools. Validating model performance and clinical safety, bias monitoring, and maintaining transparency and explainability for clinicians is critical. AI initiatives must meet the same safety and reliability standards as other clinical systems.
2. Establish a Process of Continuous Compliance vs. Point-in-Time Attestation: Although SAFER Guides are still tied to annual attestation, the expectation is shifting toward ongoing readiness. CIOs should implement continuous monitoring tools for EHR safety and performance and integrate SAFER practices into daily operations rather than treating them as a yearly exercise to reduce risk and avoid last-minute compliance gaps.
3. Enable Interoperability and Data Integrity at Scale: Poor data integrity will directly impact both compliance and patient safety under the updated framework.

CIOs must strengthen data governance and standardization practices, monitor interfaces and third-party integrations for errors, verify AI systems and decision support tools rely on high-quality, reliable data inputs. Poor data integrity will directly impact both compliance and patient safety under the updated framework.

Security Risk Analysis

This is a formal, documented review that evaluates an organization’s potential vulnerabilities affecting the confidentiality, integrity, and availability of ePHI. Rooted in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule at 45 CFR 164.308(a)(1),

Security Risk Management

Starting in the 2026 reporting period, the CMS requires eligible hospitals and CAHs to attest that they completed a Security Risk Analysis and Security Risk Management activities. This means organizations must demonstrate how they added safeguards or processes to manage the risks identified in their analysis.

This shift aligns PI requirements more closely with the HIPAA Security Rule’s broader mandate for continuous risk management processes and monitoring. In practice, SRM requires documentation that policies and procedures are in place to: respond to risk, assign accountability, track corrective actions, and demonstrate continuous improvement.

How the SAFER Guides, SRA, and SRM Interact

Understanding the relationship between the frameworks is key to successful implementation:

• SRA identifies where ePHI may be at risk by examining systems, workflows, and technology. It is reflective and analytical by design, producing a documented snapshot of risk exposures.
• SRM helps hospitals prioritize identified risks based on likelihood and impact, then plan and execute strategies to mitigate, transfer, or accept those risks.
• The SAFER Guides help practices maintain EHR security and verify that all electronic records are operating safely and efficiently, ultimately serving as a proactive risk assessment as hospitals and practices continue to digitize.

Together, the three work to continuously verify that hospitals reconcile their security posture against evolving threats while maintaining compliance and streamlining workflows.

Five Common Compliance Challenges Hospitals Face

Many hospitals, especially those with limited IT and compliance resources, face challenges complying with the outlined requirements. Common obstacles include:

1. Scope Creep and Complexity

Healthcare environments are often complex, with numerous endpoints, cloud services, mobile devices, third-party systems, and interconnected networks. Identifying data flows and storage points for ePHI is time-consuming, leading to oversight and increasing the risk of incomplete analyses.

2. Resource Constraints

Smaller hospitals and CAHs may lack full-time security professionals, requiring leadership to shift responsibilities to existing clinical or IT staff. This can lead to incomplete documentation, delays, or superficial remediation efforts.

3. Documentation and Evidence for Audits

CMS may request documentation of SRA and SRM processes for up to six years, and auditors look for detailed records of risks, remediation plans, and ongoing monitoring.

4. Translating Identification into Action

Now that CMS requires SRM plans, many hospitals will need to make a cultural shift to effectively and proactively manage risks.

5. Aligning IT and Administrative Governance

Without a formal governance framework, hospitals may struggle to demonstrate ongoing compliance with CMS requirements.

Looking Ahead: From Compliance to Resilience

As the Promoting Interoperability program continues to elevate expectations around security, safety, and accountability, healthcare organizations must establish a proactive approach. The increasing integration of SAFER Guides, now expanded to address emerging technologies like AI, demands leadership that understands compliance requirements and how to operationalize them effectively across complex environments. This is where experience matters.

At EisnerAmper, our team brings senior-level insight and deep, hands-on experience in healthcare IT, cybersecurity, and regulatory frameworks, including SAFER. We help organizations embed requirements into resilient, forward-looking strategies that protect patients, strengthen systems, and position providers for long-term success.