MACRA, MIPS AND THE SECURITY RISK ANALYSIS — WHAT YOU NEED TO KNOW

It’s finally the time of the year when practices start to focus on the MACRA/MIPS program, and SkyPort IT is prepared to help.

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) is a bipartisan legislation that streamlines multiple quality programs under the new Merit Based Incentive Payments System (MIPS). Every year the program changes, and this year is no exception. Scores from 2019 will affect Medicare payments in 2021. The penalties are higher this year, and the importance of the Security Risk Analysis (SRA) has been heightened.  All MACRA/MIPS eligible providers should make sure they have a properly formed SRA in order to support their MACRA/MIPS attestations. 

Let’s take a look at how the program has changed for the SRA, which helps measure the impact of threats and vulnerabilities that pose a risk to ePHI. For a refresher on last year’s requirements, read more here. In a nutshell, the HIPAA Security Risk Analysis was required in order to receive 50% credit for the Promoting Interoperability performance category of the MACRA/MIPS program, which in itself was 25% of the overall score.

This year, the SRA requirement stays in effect, but how it affects the MACRA/MIPS score has changed significantly.  

In addition to submitting clinical measures, providers must submit a “yes” to the following questions in order to proceed. A “no” answer to any of the following questions prohibits the provider from proceeding in the Performance Improvement category:

• The Prevention of Information Blocking Attestation,
• The Office of the National Coordinator for Health Information Technology (ONC) Direct Review Attestation, and;
• The Security Risk Analysis measure.
  

So, what does this mean? Without being able to attest YES to performing the SRA, you cannot move on in this category, and you will automatically lose 25 points. With the changes in the thresholds for 2019, this means you will be automatically ineligible for the exceptional performer’s bonus on your Medicare reimbursements in 2021. You will be hard pressed not to lose money due to starting 25 points behind.  The MACRA/MIPS adjustment for 2021 is +/- 7%, so providers can be facing a significant loss of revenue if they do not perform well on MACRA/MIPS.

What does it really mean to attest YES to the SRA measure?  Here is the measure: 

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with the requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.” Make sure that you can, in good faith, defend that you have met the requirements of the measure.

In addition, The Centers for Medicare & Medicaid Services (CMS) has announced that they have contracted with a vendor for MACRA/MIPS auditing. Every practice should assume they are going to be audited, and must have their documentation in order.  The number of audits are expected to rise. An adverse result in an audit can result in money being confiscated retrospectively. CMS has contracted with Guidehouse, a consulting company formerly part of the PwC (Price Waterhouse) network, to perform the validation and audits on a number of MIPS eligible clinicians and groups. Selected providers will receive a request for information directly from Guidehouse via email or by certified mail. Once received, providers have 45 calendar days from the date of the notice to provide the requested information. To comply with the validation and audit, clinicians and groups will send data that supports their MIPS participation. 

One last thing to think about: MACRA/MIPS scores are publicly available. This means that third party companies can access this data and put it on their websites. Many physician offices with high scores will publish them in order to set the expectation that their physicians are of higher quality than those with low or no scores. Of course we know that this is not the case, but the general public does not. So low scores on MACRA/MIPS may hurt your reputation at the margin, and can affect your practice’s ability to attract new patients.

If you’re in need of assistance with completing the SRA, SkyPort IT offers a service called HIPAA Secure Now! that will provide you with the tools, information and training necessary to comply with the HIPAA Security Rule.