October 10, 2017. HIPAA Integrity® commends to your attention the October 6, 2017, Health Data Management article by John Morrissey entitled: “Lack of security risk assessment could trim Medicare payments.”
The Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health and Human Services (HHS) has implemented the Merit-based Incentive Payment System (MIPS), an initiative of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) that is applicable to clinicians participating in Medicare Part B. According to CMS, the Quality Payment Program has two tracks eligible clinicians can choose to participate in:
- Advance Alternative Payment Models (APMs) or
- Merit-based Incentive Payment System (MIPS),
based on “practice size, specialty, location, or patient population. Participation in MIPS, the concern here, provides the participating clinician a “performance-based payment adjustment” to Medicare payments based on “evidence-based and practice-specific quality data.”
MIPS is comprised of four categories with weights of importance in the new program:
- Quality that replaces the Physician Quality Reporting System (PQRS)—60%.
- Advancing Care Information that replaces the Medicare Electronic Health Record (EHR) Incentive Program known as Meaningful Use—25%.
- Improvement Activities that is a new category—15%.
- Cost that replaces the Value-based Modifier—no weight, but calculated from adjudicated claims.
The Advancing Care Information category has 15 measures—five of which are required for a base score—and pertains to participating clinicians who have and use certified electronic health record technology. The five required measures are: e-Prescribing, Provide Patient Access, Request/Accept Summary of Care, Security Risk Analysis, Send a Summary of Care. CMS cautions: “Remember, in order to get credit for advancing care information, you must submit information for the required measures.”
We want to focus now on the Advancing Care Information Objective: Protect Patient Health Information and the Security Risk Analysis Measure:
“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.”
The Code of Federal Regulations (CFR) citations in the Measure refer to provisions of the HIPAA Security Rule.
Under MIPS, the initial performance period is 2017: January 1-December 31, with start of collection of performance data exercised before October 2, 2017. Performance data for 2017—either full year or a 90-day period—must be submitted to CMS by March 31, 2018. In 2018, CMS provides feedback about performance based on an evaluation of submitted data. A positive MIPS payment adjustment for 2019 would be based on the results and start on January 1 of that year. For more information, visit the “What’s the Quality Payment Program?” and see the section: “Pick Your Pace in MIPS” to determine types of payment adjustments based on the type of data submitted.
The important point that the Morrissey article makes and that HIPAA Integrity® wants to reinforce is that failure to provide evidence of having conducted a risk assessment not only can impair receipt of Medicare payments under MIPS, but also subject your organization to significant financial penalties under the HIPAA Security Rule that range, for willful neglect—not corrected violations, to a mandatory range of $55,910-$1,677,299 per violation. HIPAA Integrity® not only provides a risk analysis template in plain language for self-assessment of vulnerabilities and threats to protected health information that your organization creates, receives, maintains, or transmits, but also a concordance between HIPAA Security Rule standards and implementation specifications and MIPS Security Risk Analysis Measure criteria pertaining to certified electronic health record (EHR) technology.