Holy MACRA! – Being HIPAA Compliant is Part of How Physicians get Paid

On April 27, CMS came out with a proposed rule on how physicians will get paid under MACRA (the Medicare Access and CHIP Reauthorization Act). If you want to read the whole 962 page document, you can find it here (PDF). But sleep or not, this regulation changes the fundamental Fee-For-Service (FFS) system that CMS has used since Medicare’s enactment in 1966. The new system is premised on tying physician payments to quality and value, and is directly related to the Triple Aim of providing better care, lower costs, and improved health.

One of the biggest revelations that the new legislation highlights is the necessity of HIPAA Compliance and proactive readiness on part of the Healthcare Provider in order to avoid penalties in the payment adjustments:

HIPAA is not optional in MACRA
We are not here to give you the complete lowdown on MACRA. There are lots of other resources for that. However, we do want to emphasize one very important point: the role of HIPAA compliance. As indicated above, MACRA changes the way physicians will be paid. No longer will they be paid for just providing services (FFS).

Rather, there is a very complicated formula called the MIPS Composite Performance Score (CPS) that will be used to determine adjustments to a physician’s Medicare payment. These adjustments can be as high as +-9% by 2022 (By the way, in order to amplify the effect of MACRA, CMS is explicitly encouraging private payers (PDF) to implement similar programs). In order to receive a substantial portion of the MIPS CPS and maximize revenue opportunity, each provider will have to have performed a HIPAA Security Risk Analysis (SRA) within their practice. It is important to understand that since the SRA is for the practice, it can be used for all physicians within the practice.

Here is a quote from the MACRA Rule:

“We would require the MIPS eligible clinician to meet the requirement to protect patient health information created or maintained by certified EHR technology to earn any score within the advancing care information performance category; failure to do so would result in a base score of zero, a performance score of zero, and an advancing care information performance category score of zero.”

Furthermore, the document also states

“As privacy and security is of paramount importance and applicable across all objectives, the Protect Patient Health Information objective and measure would be an overarching requirement for the base score”.

Maximize payments

Clearly there is some MACRA/MIPS specific language in those quotes. Don’t get hung up on these terms. What is important is the role of HIPAA compliance: perform a HIPAA Security Risk Analysis and you are in position to maximize your MIPS CPS and your revenue. Don’t perform the Risk Analysis, and be prepared to take a hit on your payments.

 

For questions on scheduling your next HIPAA Security Risk Assessment, please contact CRHC Consortium Team at pyount@coruralhealth.org

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*