Want to Score with MACRA? Perform a HIPAA Risk Assessment

Art Gross

Why MACRA and HIPAA go hand-in-hand: tips from a pro.

Editor's Note: With so many health policy and reimbursement changes likely under a new adminstration in Washington, physicians may be wondering how HIPAA fits in.We asked Art Gross, CEO of a HIPAA risk assessment company for his thoughts.

Congress may be poised to roll back the Affordable Care Act, but HIPAA and MACRA, the Center for Medicare & Medicaid’s (CMS) new model for reimbursements, are as certain to remain as death and taxes. Moreover, MACRA and HIPAA go hand in hand. Physicians cannot participate in MACRA, which went into effect on January 1, 2017, without performing a security risk assessment (SRA) and making sure patient health information is protected. However, even if a physician is not participating, HIPAA compliance, including the essential SRA, is still a legal requirement.

MACRA is one of those rare laws that passed with bipartisan support from Republicans and Democrats in Congress, which ensures that it will continue under the current administration. Under MACRA, medical reimbursements are directly tied to the Triple Aim of providing better care, at lower costs and improving health, all in an effort to move to value-based care.

Fees and reimbursements paid to physicians will be scored based on performance and quality metrics care, using the Merit-based Incentive Payment System (MIPS). To achieve 25% of the MIPS score, for example, medical practices must use a certified EHR system with a set of measures that show how it’s used in their day-to-day practice, and with a particular emphasis on increased interoperability between their EHR and electronic information exchange with patients.

Based upon their MACRA performance scores in 2017, physicians can expect to see their payments vary by +/- 4% beginning in 2019. By 2022 payments will vary by +/- 9%.

Before medical practices participate in MIPS they will need to prove that patient health information contained in there EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA). Failure to protect ePHI (electronic protected health information) with the proper IT security controls will result in zero scores, which could have a material impact on the MACRA fee adjustment, and overall Medicare reimbursement.

Yet, many medical practices are guilty of doing a “check the box” SRA and not taking the actual steps to prevent a security breach. It’s not uncommon for practices to have patient information scattered around the network and not even know which servers, files, laptops and mobile devices house patient information.

To start on the path to MACRA and MIPS scoring and increased reimbursements, medical practices must perform an SRA and identify vulnerabilities in protecting patient information. Here are the key elements to identify and close the ePHI security gaps:

1-Identify and document all ePHI repositories

Medical practices often operate under the assumption that all patient data is stored in their EHRs. But patient information can also reside in emails, Excel spreadsheets, Word documents, PDFs with scanned explanations of benefits, or even ultrasounds and MRIs. The SRA should determine exactly where all ePHI is stored.

2- Identify and document potential threats and vulnerabilities for each repository

Make sure backup and disaster recovery procedures are in place, as well as procedures for dealing with lost or stolen laptops containing ePHI.

3-Train employees and create access policies

Train employees to recognize phishing scams, phone scams, follow rules for accessing public wi-fi, social media posting, and other risky behaviors in order to avoid breaches. Review employee policies to ensure they access only the patient records they need to perform their jobs. Make sure that procedures are in place to prevent terminated employees from accessing ePHI.

4-Encrypt data

Encrypt patient data to not only protect against attacks but to help alleviate any potential penalties as regulators will take into account whether a firm took all reasonable steps to protect the data.

5-Determine the likeliness of a threat

Once the location of patient information is determined and potential vulnerabilities are identified, the probability of an actual breach should be ranked as high, medium, or low. It may be more likely, for instance, that an unprotected ground floor office could be broken into than one located in a high-rise with round-the-clock security. Then again, it could be easy for employees to lose cell phones or other devices containing patient information and so that threat might be ranked as “highly likely.”

6-Develop a breach response plan

Have a response plan in case a breach does occur. Specify who will be on the response team, what actions the team will take to address the breach, and how the practice will prevent another breach from occurring. The SRA will make sure a plan exists and all employees are trained in how to respond.

Invest the time and devote the resources to perform a comprehensive risk assessment or hire a HIPAA expert to assist. Medical practices must achieve HIPAA compliance and patient data security to begin scoring MACRA points and maximizing reimbursements.

Art Gross is the president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices. He can be contacted at artg@hipaasecurenow.com.