MIPS Promoting Interoperability | Measures, CEHRT, and SRA

MIPS Promoting Interoperability (PI) is the EHR-driven information-exchange category within the Merit-Based Incentive Payment System (MIPS). It is worth 25 percent of the 2026 MIPS final score. Clinicians report PI data across a minimum 180-day continuous period using the 2015 Edition Cures Update CEHRT. The category score builds from a mandatory base score, scored performance objectives, and optional bonus measures. Each clinician must also pass a Security Risk Analysis (SRA) attestation as a HIPAA Security Rule compliance check.

What is MIPS Promoting Interoperability?

MIPS Promoting Interoperability (PI) is the EHR-driven information-exchange performance category CMS uses to measure clinician use of certified EHR technology. It operates under the Merit-Based Incentive Payment System. PI is one of four MIPS performance categories, alongside Quality, Cost, and Improvement Activities.

PI accounts for 25 percent of the 2026 MIPS final score. The category replaced the Medicare EHR Incentive Program (Meaningful Use) in 2017, when the MACRA Quality Payment Program took effect.

Key point: PI keeps the same 25 percent weight in 2026 that it carried in prior performance years.

How does PI contribute to the MIPS final score?

The PI category contributes up to 25 points to the MIPS final score. CMS calculates this by multiplying the clinician PI category percent score by the 25 percent weight. The four MIPS categories combine into a single score from 0 to 100.

Category	Weight	Max Points
Quality	30%	30
Cost	30%	30
Promoting Interoperability	25%	25
Improvement Activities	15%	15
MIPS Final Score	100%	100

A clinician must clear the 75-point performance threshold to avoid the -9 percent Medicare Part B penalty. The threshold remains at 75 points through the 2028 performance year.

Did the MIPS Promoting Interoperability Change for 2026?

Yes. CMS finalized four PI changes for the 2026 performance year:

• The Security Risk Analysis now requires two yes attestations, covering the SRA itself and risk-management activities.
• Clinicians must use the updated SAFER Guides for the High Priority Practices measure self-assessment.
• A new TEFCA bonus measure was added under the Public Health and Clinical Data Exchange objective.
• CMS finalized a measure suppression policy for circumstances that prevent reporting specific PI measures.

What are MIPS PI measures and objectives?

MIPS Promoting Interoperability uses a three-tier measure structure built around a single gate. A base score gates the entire category before any points count. Performance score points follow, tied to specific measure objectives. Bonus measures add optional points on top of base and performance.

The base score covers four required objectives that every reporting clinician must satisfy:

• e-Prescribing, which tracks the electronic transmission of prescriptions.
• Health Information Exchange (HIE), which covers sending and receiving patient records.
• Provider to Patient Exchange, which gives patients electronic access to their data.
• Public Health and Clinical Data Exchange, which reports data to public-health agencies.

Performance scoring is the second tier, where clinicians earn points based on actual measure rates. Bonus measures form the third tier and add up to 5 points across four available pathways.

The sections below cover the base score gate, the performance-score objectives, bonus measures, the TEFCA bonus measure for 2026, and whether points are possible without the base score. For the complete inventory, see the full 2026 MIPS PI measures and objectives list.

What is the PI Base Score Requirement?

The PI base score is the mandatory minimum performance requirement across four required objectives. A clinician must meet it to earn any PI points at all. The four base-score objectives are:

• e-Prescribing for electronic prescription transmission.
• Health Information Exchange (HIE) for record exchange between providers.
• Provider to Patient Exchange for patient electronic access.
• Public Health and Clinical Data Exchange for reporting to public-health systems.

Failure to meet any required measure produces a PI category score of zero for the entire performance period. The zero applies regardless of strong performance or bonus results. The base score functions as a pass-or-fail gate, not a partial-credit tier.

What are the PI Performance-score Objectives?

After meeting the base score, clinicians earn performance-score points based on the rates they achieve. Each measure carries a denominator and a numerator. Higher numerator-to-denominator ratios earn more points, up to each measure’s maximum. Clinicians select among three HIE objective options for 2026:

• Send/Receive & Reconcile measures, the traditional exchange pathway.
• HIE Bi-Directional Exchange is a single consolidated exchange measure.
• Enabling Exchange under TEFCA, a network-based exchange pathway.

The HIE objective lets clinicians match their EHR exchange capabilities to the most achievable option. Practices with limited connectivity often choose the bidirectional or TEFCA route. The choice does not affect the base-score requirement, which remains mandatory.

What Bonus Measures Exist in PI?

Bonus measures are optional pathways under the Public Health and Clinical Data Exchange objective. They add up to 5 points on top of a clinician’s base and performance score. A clinician earns a maximum of 5 bonus points across all four available bonus measures. Reporting more than one bonus measure does not raise the total beyond the cap.

The four bonus measures are the original three Public Health and Clinical Data Exchange measures, plus the new 2026 TEFCA bonus measure. Bonus measures are voluntary, and skipping them does not affect base or performance scoring. They function purely as additive points within the fixed cap.

How Does the TEFCA Bonus Measure Work?

The Public Health Reporting Using TEFCA bonus measure is new for the 2026 performance year. It joins three pre-existing bonus measures under the Public Health and Clinical Data Exchange objective. TEFCA (the Trusted Exchange Framework and Common Agreement) is a national framework ONC published to standardize health information exchange across networks.

A clinician earns the bonus by reporting public-health data through a Qualified Health Information Network (QHIN) that participates in TEFCA. This can replace or supplement reporting through traditional public-health registries. The TEFCA bonus shares the same 5-point cap that applies to all four bonus measures. Reporting via TEFCA does not stack points beyond that cap.

TEFCA reporting is voluntary. Clinicians not yet connected to a QHIN can still earn full PI points through the original three bonus measures.

Can a Clinician Earn PI Points Without Completing the Base Score?

No. The PI base score is a gate, not a contributor. Failure to meet any required base-score measure produces a PI category score of zero for the entire performance period. This holds regardless of performance-score results or the number of bonus measures completed.

What CEHRT requirement applies to MIPS PI?

MIPS Promoting Interoperability requires Certified Electronic Health Record Technology (CEHRT) for reporting. Specifically, clinicians must use the 2015 Edition Cures Update CEHRT for a minimum of 180 continuous days during 2026. CEHRT is EHR software certified by the Office of the National Coordinator (ONC) to meet defined functional and interoperability standards.

The 2026 requirement is the Cures Update edition, not earlier 2015 Edition variants. Clinicians choose any 180 consecutive days that end on or before December 31. The last possible 180-day start date is July 5 for a full-year submission. CEHRT is also the submission mechanism, so clinicians report MIPS PI via your CEHRT-equipped EHR.

What is the 2015 Edition Cures Update CEHRT?

2015 Edition Cures Update CEHRT is the current Office of the National Coordinator (ONC) certified EHR standard required for MIPS PI in 2026. It builds on the original 2015 Edition by adding requirements from the 21st Century Cures Act. The Cures Update introduces three additional capability areas:

• Information-blocking compliance under the Cures Act rule.
• API-based data access for patients.
• Updated USCDI (United States Core Data for Interoperability) data classes.

EHR vendors publish ONC certification identifiers, such as the CMS EHR Certification ID. Clinicians use that identifier to attest to CEHRT use in PI submissions. The next section covers how long a clinician must run CEHRT during the year.

How Long is the PI Performance Period?

The PI performance period is a minimum of 180 continuous days within the 2026 calendar year. Clinicians choose any 180-day window that ends on or before December 31. The last possible 180-day start date is July 5, 2026. Any later start means the window cannot be completed by December 31, and PI reporting is forfeited.

Clinicians who installed CEHRT mid-year can still report PI if their window completes by year-end. The PI window differs from other categories. Quality measures use the full calendar year, while Improvement Activities require only 90 continuous days.

Do I need a 2015 Edition Cures Update CEHRT for PI?

Yes. MIPS PI for 2026 requires 2015 Edition Cures Update CEHRT, not the earlier 2015 Edition base variant. Clinicians using non-Cures-Update CEHRT cannot meet the base-score requirement and will score zero on PI. Most major EHR vendors completed the Cures Update transition during 2023 and 2024.

What is the MIPS PI Security Risk Analysis requirement?

The MIPS PI Security Risk Analysis (SRA) is an annual review of the practice’s security risk management posture. It is required under the HIPAA Security Rule and gated for PI by attestation. The SRA is a documented evaluation of risks to electronic protected health information (ePHI). It covers administrative, physical, and technical safeguards across the practice.

Beginning in 2026, clinicians must attest yes to two separate questions. The first confirms that the SRA was conducted or reviewed during the performance period. The second confirms that security risk management activities were performed during that same period. A no on either attestation yields a PI score of zero, so the SRA acts as a hard gate.

The H3 sections below cover the two-attestation rule, the SAFER Guide attestation, common audit findings, and the zero-out effect. For documentation guidance, see how to document the MIPS Security Risk Analysis.

What Does the 2026 Two-attestation SRA Require?

For the 2026 performance year, CMS requires clinicians to answer yes to two separate Security Risk Analysis attestations. Neither triggers a zero PI score. The two attestation questions are stated explicitly below:

• Attestation 1: Was a Security Risk Analysis conducted or reviewed during the 2026 performance period?
• Attestation 2: Were security risk management activities performed during the 2026 performance period under the HIPAA Security Rule?

A no on either attestation yields a PI category score of zero for the entire period. Prior years required only the first attestation. The second attestation is new for 2026 and reflects an emphasis on risk-management actions, not just the analysis document.

In practice, clinicians should retain documentation of both items. That includes the SRA report and evidence of risk-management activities, such as mitigation plans, policy updates, and training records.

How Does the SAFER Guide Attestation Work?

The SAFER Guide attestationis a separate yes or no requirement under the PI High Priority Practices measure. It asks clinicians to confirm an annual self-assessment using the updated ONC-published SAFER Guides. ONC publishes nine SAFER Guides covering EHR safety domains. Examples include system configuration, contingency planning, and patient identification.

Clinicians must use the updated SAFER Guides published by ONC for 2026. The previous-year version is not accepted. A no on the SAFER Guide attestation produces zero points on the High Priority Practices measure. This effect is separate from the SRA attestation but carries the same binary consequence.

What are Common MIPS PI Security Risk Analysis Audit Findings?

CMS audit findings for MIPS PI Security Risk Analysis typically fall into four categories:

1. Missing risk-management activities documentation, where the SRA exists but shows no evidence of follow-through, such as mitigation plans or staff training.
2. Outdated SRA, completed more than 12 months before the start of the performance period.
3. An incomplete asset inventory, where the SRA scope omitted systems handling ePHI, such as the patient portal or mobile device access.
4. SAFER Guide attestation submitted without underlying self-assessment documentation.

Practices should retain SRA documentation for at least 6 years per HIPAA retention requirements. They should also keep all evidence of risk-management activities completed during the performance year.

Does a Missed SRA Attestation Zero Out PI?

Yes. A no on either of the two SRA attestations yields a PI category score of zero for the entire 2026 performance period. This applies to the SRA-conducted attestation and the risk-management-activities attestation alike. The zero holds even when the clinician completed all base-score measures and earned high performance and bonus scores.

How is the MIPS PI Score Calculated?

The PI Category Percent Score sums performance-score points and bonus-measure points. CMS divides that sum by 100 maximum possible points, then multiplies by 100. This calculation applies only after the base score is met.

PI Category Percent Score = ((Performance Score Points + Bonus Points) / 100) × 100

PI Contribution to MIPS Final Score = PI Category Percent Score × 25 percent weight

A worked example shows the math in practice. Suppose a clinician completes all base-score measures, earns 60 of 70 performance-score points, and earns 5 bonus points.

1. Sum the points: 60 + 5 = 65 points.
2. PI category percent score: 65 / 100 × 100 = 65 percent.
3. Weighted contribution: 65 percent × 25 percent = 16.25 of 25 possible MIPS Final Score points.

The base score remains the precondition. Without it, none of these calculations apply, and the PI score is zero.

Which Special Statuses Trigger Automatic PI Reweighting?

CMS automatically reweights PI to 0 percent for clinicians in four special-status categories. These clinicians do not need to submit PI data. The 25 percent PI weight then redistributes to other performance categories.

Special Status	Qualifying Threshold
ASC-based clinician	75 percent or more of services billed under the Place of Service code 24
Hospital-based clinician	75 percent or more of services billed under inpatient, ED, or observation codes
Non-patient-facing clinician	100 or fewer patient-facing encounters per year
Small practice	15 or fewer eligible clinicians under one TIN

A clinician with auto-reweighted PI can still voluntarily submit PI data. Voluntary submission overrides the automatic reweighting, and the clinician is scored on the submitted data.

Other clinicians can apply for a Hardship Exception or an Extreme and Uncontrollable Circumstances (EUC) exception. If approved, either exception also reweights PI to 0 percent.

What changed for MIPS PI in 2026?

CMS finalized four MIPS PI changes for the 2026 performance year in the November 5, 2025, Physician Fee Schedule Final Rule. The four changes are listed below:

1. The Security Risk Analysis now requires two yes attestations, one for the SRA conducted or reviewed and one for risk-management activities performed. Neither yields a zero PI score.
2. Clinicians must use the updated SAFER Guides for the High Priority Practices measure self-assessment.
3. The new TEFCA bonus measure was added under the Public Health and Clinical Data Exchange objective, joining three existing bonus measures within the 5-point cap.
4. CMS finalized a measure suppression policy that allows full credit when defined circumstances prevent reporting specific PI measures, such as paused electronic case reporting registries.

Standard PI weighting remains 25 percent of the MIPS Final Score. The four changes affect requirements within PI but not its weight contribution.

How Does Macralytics Support MIPS PI Submission?

Macralytics supports MIPS PI submission through a four-step EHR consulting service workflow:

1. CEHRT verification. Confirm that the practice EHR holds the 2015 Edition Cures Update certification and can generate PI measure data.
2. SRA documentation review. Validate that the Security Risk Analysis is current, complete, and supports both required 2026 attestations.
3. PI submission via Macralytics Qualified Registry. Extract measure data from CEHRT and submit during the CMS window, January 2 to March 31 of the following year.
4. Audit-prep retention. Retain the SRA, SAFER Guide self-assessments, and submission records for the 6-year HIPAA retention period.

This workflow keeps documentation aligned with the 2026 attestation rules. See how we set up your EHR for MIPS PI.

Do MIPS Value Pathway (MVP) Requirements Include PI measures?

Yes. PI is the foundation layer of every MIPS Value Pathway (MVP). Each MVP includes the entire PI measure set as a mandatory foundation. It sits alongside MVP-specific Quality measures, Improvement Activities, and Cost measures.

MVP clinicians follow the same PI base score, performance score, bonus measures, CEHRT, and SRA two-attestation rules as Traditional MIPS clinicians. A clinician with auto-reweighted PI keeps that reweighting under MVP reporting. This applies to ASC-based, hospital-based, non-patient-facing, and small-practice statuses.

MIPS Promoting Interoperability is the EHR-driven information-exchange component of the MIPS final score. It is 25 percent in 2026, scored over a 180-day continuous performance period using the 2015 Edition Cures Update CEHRT, and gated by the Security Risk Analysis two-attestation requirement. Clinicians in ASC-based, hospital-based, non-patient-facing, or small-practice statuses see PI auto-reweighted to 0 percent. Everyone else must clear the base score before earning any PI points. For the full framework, see our overview of the four MIPS performance categories.