Being HIPAA compliant is part of how physicians get paid
Thursday, May 12, 2016
Posted by: DCMS
On April 27, CMS came out with a proposed rule on how physicians will get paid under MACRA (the Medicare Access and CHIP Reauthorization Act). If you want to read the whole 962 page snoozefest, you can find it here (PDF). But sleep or not, this regulation changes the fundamental Fee-For-Service (FFS) system that CMS has used since Medicare’s enactment in 1966. The new system is premised on tying physician payments to quality and value, and is directly related to the Triple Aim of providing better care, lower costs, and improved health.
Open for comments
Like all proposed rules, there is a 60 day comment period, and we fully expect an army of criticism from lobbyists, vendors and a whole host of other interested parties. Based on the comments, a final rule will be published, most probably in the fall. The final rule will be imperfect and controversial. It will be despised by many. But don’t expect MACRA to be repealed. According to Anne Phelps of Deloitte & Touche,
MACRA is the rare health care law that was passed with overwhelming bipartisan support and continues to enjoy strong support from Republicans and Democrats in Congress. This all but ensures its continued implementation, regardless of the outcome of the November elections”.
Who can blame Congress, with health care costs spiraling out of control, something has to be done. So once it comes out, all affected parties should remember the saying “if you can’t beat’em, join’em”.
HIPAA is not optional in MACRA
We are not here to give you the complete lowdown on MACRA. There are lots of other resources for that. However, we do want to emphasize one very important point: the role of HIPAA compliance. As indicated above, MACRA changes the way physicians will be paid. No longer will they be paid for just providing services (FFS). Rather, there is a very complicated formula called the MIPS Composite Performance Score (CPS) that will be used to determine adjustments to a physician’s Medicare payment. These adjustments can be as high as +-9% by 2022 (By the way, in order to amplify the effect of MACRA, CMS is explicitly encouraging private payers (PDF) to implement similar programs). In order to receive a substantial portion of the MIPS CPS and maximize revenue opportunity, each provider will have to have performed a HIPAA Security Risk Analysis (SRA) within their practice. It is important to understand that since the SRA is for the practice, it can be used for all physicians within the practice. Here is a quote from the MACRA Rule:
“We would require the MIPS eligible clinician to meet the requirement to protect patient health information created or maintained by certified EHR technology to earn any score within the advancing care information performance category; failure to do so would result in a base score of zero, a performance score of zero, and an advancing care information performance category score of zero.”
Furthermore, the document also states
“As privacy and security is of paramount importance and applicable across all objectives, the Protect Patient Health Information objective and measure would be an overarching requirement for the base score”.
Clearly there is some MACRA/MIPS specific language in those quotes. Don’t get hung up on these terms. What is important is the role of HIPAA compliance: perform a HIPAA Security Risk Analysis and you are in position to maximize your MIPS CPS and your revenue. Don’t perform the Risk Analysis, and be prepared to take a hit on your payments.
This article was written by Jonathan Krasner, Director of Business Development at HIPAA Secure Now!