MIPS 2025: Promoting Interoperability Requirements
Stricter submissions, fewer exemptions, and higher stakes for MIPS performance.
CMS has tightened the rules. Promoting Interoperability is no longer just about exchanging data.
The MIPS 2025 performance year brings new measures, removed exemptions, and increased scrutiny across the board. While the overall performance threshold remains at 75 points and data completeness stays at 75 percent, CMS is raising the stakes in how each category is evaluated.
We’ve recently published a few blogs that break down the Key changes for MIPS 2025 and the Quality category. A detailed update on the Improvement Activities category is coming soon, so stay tuned.
Now, let’s explore what’s new in the Promoting Interoperability category, where technical compliance meets clinical performance.
What is Promoting Interoperability, and Why Does it Matter?
The PI category rewards clinicians for using certified electronic health record technology (CEHRT) to improve patient access and coordinate care. But it’s not just about having a certified EHR. Providers must now demonstrate how well their systems handle data sharing, patient access, and cybersecurity.
It’s also a high-weighted category. For many providers, PI contributes 25 percent of their final MIPS score. Errors or missing pieces can significantly affect payment adjustments.
EHR Reporting Period: Choose Wisely
For 2025, CMS continues to offer flexibility in the Promoting Interoperability category. Clinicians can pick any continuous 180-day window within the calendar year to report their data. This means you’re not bound to a fixed half of the year - you get to choose when your data story looks strongest. But that also means you need to actively track performance throughout the year.
Why it Matters
You’re not locked into a fixed timeline, but this flexibility comes with responsibility. To choose the most favorable window, you’ll need consistent monitoring and clean documentation across the year.
Pro Tip
We’re already deep into Q3, which means the final possible 180-day window is already in progress. If you haven’t locked in your reporting period, start reviewing performance now. Delaying may cost you opportunities to fix issues and improve your score.
Cybersecurity in MIPS: What You Must Know
1. Security Risk Analysis (SRA)
This annual requirement applies to all MIPS participants under the PI category. You must assess your EHR system for security vulnerabilities, address any weaknesses, and document the changes.
Failing to complete the SRA leads to a score of zero for the entire PI category. That alone can put your overall MIPS score at risk.
2. CMS Cybersecurity Oversight for Vendors
Registries, QCDRs, and Health IT vendors that handle MIPS data must follow CMS-defined cybersecurity rules. These rules are not vague expectations - they are specific, structured policies that guide how vendors must secure systems, handle sensitive data, and respond to threats.
Oversight is managed by CMS’s Information Security and Privacy Group (ISPG) and the Office of Information Technology (OIT), which enforce the following key strategies:
1. Zero Trust Architecture
Vendors should never assume any system or user is trustworthy. Every access request must be verified - trust nothing and verify everything.
2. Cyber Risk Management Framework
Vendors must assess and respond to cybersecurity risks. That includes threat detection, continuous monitoring, and having a clear response plan.
3. Prioritization of Mitigation
Not all risks are equal. CMS expects vendors to fix the most critical issues first. Fast response to serious threats is non-negotiable.
If your company builds or manages MIPS-related tools or infrastructure, you are part of CMS’s cybersecurity chain of trust. These rules aren’t just best practices - they’re essential for maintaining vendor status and ensuring data security across the healthcare ecosystem.
3. Certified Health IT Security Requirements
To participate in MIPS, providers must use ONC-certified technology. These systems are required to include key protections:
Secure login and authentication
Data encryption
Activity monitoring and audit logs
These protections must be active, not just included in the system.
Using a certified EHR alone is not enough. MIPS eligible providers must actively use the required security features. If secure login or audit logs are turned off, patient data and your MIPS score are at risk. CMS expects real protection, not checkbox compliance.
Changes to Automatic Reweighting
In 2025, fewer clinicians will qualify for automatic Promoting Interoperability (PI) reweighting. Clinical social workers, who were previously exempt, are now expected to report unless they qualify under a different exemption.
Still automatically reweighted:
· Ambulatory Surgical Center-based clinicians
· Hospital-based clinicians
· Non-patient-facing clinicians
· Small practices
Why it Matters
Many assumed exemptions are no longer guaranteed. If you skip PI without confirming eligibility, your score could drop to zero. CMS is tightening the rules. Recheck your eligibility status.
Pro Tip for Small Practices
If you are a small practice (<15 providers), consider submitting for the PI category instead of claiming reweighting. Why? The Quality category has tougher benchmarks. In our experience, practices earn a higher overall score when they report both PI and Quality data.
Submission Rules: Every Detail Counts
PI submissions must now include:
Complete performance data
Required attestations
A valid CMS EHR Certification ID
Submissions missing any of these will not be scored.
Why it Matters
There are no partial points. CMS treats incomplete data as a failed submission.
Pro Tip
Validate your submission files early. Make sure all required fields are present and correctly formatted, including the CMS Certification ID and attestations. Even a small omission can cost you the entire PI score.
You Can Submit More Than Once
CMS now accepts multiple submissions per reporting period. It will retain them all but score only the highest one submitted before the deadline.
Why it Matters
Submitting early gives you a chance to make corrections. Submitting on deadline gives you no second chances.
Pro Tip
Treat submissions as a process, not a single event. Validate your data early. Submit once, review again, and submit a final version if needed.
How MyMipsScore™ can support you
Darena Health’s MyMipsScore solution helps EHR vendors and provider organizations comply with evolving CMS requirements. We offer certified technology and infrastructure that meets ONC and CMS standards, including FHIR-based APIs and a CMS-qualified registry.
Our team handles the behind-the-scenes compliance tasks that can easily fall through the cracks. We support Security Risk Analysis, maintain audit-ready documentation, and help validate every field required by CMS.
We don’t just help you meet the PI requirements. We help you understand them, prepare for them, and stay one step ahead.
Ready to Strengthen Your MIPS Reporting?
Promoting Interoperability is no longer a low-effort compliance category. From security gaps to submission errors, the risks are real. Whether you’re an EHR vendor updating your product or a provider organization planning your MIPS strategy, staying proactive is your best advantage.
Contact us to explore how we can support your 2025 compliance goals.
