Start MACRA reporting with a HIPAA risk assessment, or don’t start at all

Buried deep inside MACRA (Medicare Access and CHIP Reauthorization Act) lies a key requirement for eligibility-the security risk assessment (SRA). If ignored it could undo the Herculean effort taken by physicians to reach high scores and maximize Medicare reimbursements, under the new Medicare payment reform plan.  

MACRA establishes a framework to reward physicians for providing higher quality care at lower costs and improving health outcomes for patients-a switch from fee for services to the value-based care model.  One pathway to higher reimbursement is the Merit-based Incentive Payment System (MIPS). 

Using MIPS calculations, clinicians are scored on performance and quality measures, costs, use of electronic health records, and improvement activities like patient safety and care coordination. Higher scores equal higher reimbursements.  For the first year, physicians will have to decide which measures they’ll report on, with measures increasing year by year. 

To achieve 25% of the MIPS score, for example, medical practices will have to report on a set of measures for the day-to-day use of their EHR system, with a particular emphasis on increased interoperability and electronic information exchange across the clinical care network and with patients.

Based upon their MIPS performance scores in 2017, physicians can expect to see their payments vary by +/- 4% beginning in 2019.  By 2022 payments will vary by +/- 9%.

To start scoring, start with an SRA

But if physicians are so steeped in figuring out their MIPS categories and measures, and creating reports that they forget to complete an SRA all efforts will have been in vein. Plus failing to perform an SRA will leave a practice noncompliant with HIPAA regulations.  Imagine spending months doing painstaking tax preparation and submitting all the forms to the IRS, then forgetting to sign the documents, rendering the tax returns invalid.  Going through the complex MIPS measuring and reporting process without performing the SRA has similar consequences. 

To start on the path to MACRA and MIPS scoring and increasing reimbursements, medical practices must perform an SRA and identify vulnerabilities in protecting patient information. Here are five key SRA elements to identify and remediate:

Next: Five key elements

1.     Identify and document all patient information repositories. Medical practices often operate under the assumption that all patient information is stored in their EHRs. But it can also reside in emails, Excel spreadsheets, Word documents, PDFs with scanned explanations of benefits, or ultrasounds and MRIs. The SRA should determine exactly where all ePHI (electronic protected health information) is located.

2.     Identify and document potential threats and vulnerabilities for each repository. Make sure backup and disaster recovery procedures are in place, as well as procedures for dealing with lost or stolen laptops, smartphones, and mobile storage devices containing ePHI. 

3.     Train employees and create access policies. Train employees to recognize phishing scams, phone scams, follow rules for accessing public wi-fi, social media posting, and other risky behaviors in order to avoid breaches.  Review employee policies to ensure they access only the patient records they need to perform their jobs.  Make sure that procedures are in place to prevent terminated employees from accessing ePHI. 

4.     Encrypt data. Encrypt patient data to not only protect against attacks but to help alleviate any potential penalties as auditors will consider whether a firm took all reasonable steps to protect the data.

5.     Develop a breach response plan. Have a response plan in case a breach does occur. Specify who will be on the response team, what actions the team will take, and how the practice will prevent another breach from occurring. The SRA will make sure a plan exists and all employees are trained in how to respond.

Invest the time and devote the resources to perform a comprehensive risk assessment or hire a HIPAA security consultant to assist.  Medical practices must achieve HIPAA compliance and ePHI security to begin scoring MACRA points and maximizing reimbursements.

Art Gross is the president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices. He can be contacted at artg@hipaasecurenow.com.