Start MACRA reporting with a HIPAA risk assessment, or don’t start at all
Buried deep inside MACRA (Medicare Access and CHIP Reauthorization Act) lies a key requirement for eligibility—the security risk assessment (SRA). If ignored it could undo the Herculean effort taken by physicians to reach high scores and maximize Medicare reimbursements, under the new Medicare payment reform plan.
MACRA establishes a framework to reward physicians for providing higher quality care at lower costs and improving health outcomes for patients—a switch from fee for services to the value-based care model. One pathway to higher reimbursement is the Merit-based Incentive Payment System (MIPS).
Using MIPS calculations, clinicians are scored on performance and quality measures, costs, use of electronic health records, and improvement activities like patient safety and care coordination. Higher scores equal higher reimbursements. For the first year, physicians will have to decide which measures they’ll report on, with measures increasing year by year.
To achieve 25% of the MIPS score, for example, medical practices will have to report on a set of measures for the day-to-day use of their EHR system, with a particular emphasis on increased interoperability and electronic information exchange across the clinical care network and with patients.
Based upon their MIPS performance scores in 2017, physicians can expect to see their payments vary by +/- 4% beginning in 2019. By 2022 payments will vary by +/- 9%.
To start scoring, start with an SRA
But if physicians are so steeped in figuring out their MIPS categories and measures, and creating reports that they forget to complete an SRA all efforts will have been in vein. Plus failing to perform an SRA will leave a practice noncompliant with HIPAA regulations. Imagine spending months doing painstaking tax preparation and submitting all the forms to the IRS, then forgetting to sign the documents, rendering the tax returns invalid. Going through the complex MIPS measuring and reporting process without performing the SRA has similar consequences.
To start on the path to MACRA and MIPS scoring and increasing reimbursements, medical practices must perform an SRA and identify vulnerabilities in protecting patient information. Here are five key SRA elements to identify and remediate: