In MACRA (the Medicare Access and CHIP Reauthorization Act), it looks as though CMS is taking HIPAA compliance to the next level. The agency makes the security risk analysis a lynchpin in one of the primary MIPS measures. MIPS, the new Merit-based Incentive Payment System, incentivizes quality, improvement and advancing care information performance.
If clinicians / physicians are eligible to participate in MIPS, they must conduct a security risk analysis and implement a risk management program or see a decrease in Medicare payment. Some of this may sound familiar, and that’s because it’s much like Meaningful Use.
While ideally MACRA wouldn’t be all that startling, many clinicians simply do not conduct regular HIPAA security risk analyses, nor do they have an ongoing risk management program. Which means these are significant changes for many of our providers.
Physicians will have multiple ways to gain financially based on how they score under MIPS, aggregated under the categories of quality, resource use, clinical practice improvement activities and the meaningful use of certified EHR technology.
Scoring will be everything (that’s the MIPS Composite Performance Score). Also, if you haven’t had a recent security risk analysis or a risk management plan that’s implemented, you won’t be doing so hot.
The flip side is, if your Medicare practice is fairly low volume, as in you receive less than $30,000 in Medicare payments or have less than 100 Medicare patients, this won’t apply because you’re not eligible to participate. But you’d still do well to step up security best practices and assure HIPAA compliance.
HIPAA has been the underpinning of how clinicians work since its enactment. Practices that have managed to slide by with minimal effort in relation to an actual privacy and security compliance program will no longer cut it. MACRA tightening the link between quality, efficiencies and security to payments will drive the next chapter of care and who’s there to provide it.
Why not start now? Take the opportunity to lay the groundwork to maximize your MIPS CPS as well as your practice revenue. Go ahead and get your HIPAA security risk analysis done now and put the risk mitigation and risk management plan together. Your practice and your bottom line will benefit.
Apgar & Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support health plans, medical practices, dental clinics and hospitals, as well as their business associates. We also help businesses prepare for ISO, SOC II and HITRUST certifications. Call 877-376-1981 for assistance.