<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

MACRA/MIPS and the Annual Security Risk Assessment!

How does MACRA/MIPS affect your practice? 

As a healthcare provider, you should be familiar with the Merit-based Incentive Payment System (MIPS) which became effective January 1, 2017.  This new payment system moves away from the previous fee-for-service payment system to a performance-based payment adjustment.  This means that instead of simply receiving a payment from Medicare and Medicaid for providing service, your payments will be linked to patient outcomes or the quality of care provided.  As we enter 2019, reporting from 2017 could provide you with a bonus payment.   


MACRA is a piece of legislation which changes Medicare reimbursement to a quality, value and accountability based model.  MACRA combines the Physician Quality Reporting System (PQRS), Value-based Payment Modifier (VBM), and the Medicare Electronic Health Record (EHR) incentive program into one single program known as MIPS.  The MIPS program determines Medicare payment adjustments on a system which is adjusting towards resource use.  The four categories which determine reimbursement are:

  • 45% for quality (PQRS/VBM)
  • 25% for Promoting Interoperability
  • 15% for clinical practice improvement
  • 10% for cost

Eligible practices are encouraged to participate in this new payment system in order to avoid negative price adjustments.  You may be exempt from this program if you qualify for advanced Alternative Payment Models (APMs). This program combines pay for performance programs including meaningful use, value based modifier and Physician Quality Reporting System (PQRS). 

You are not eligible for MIPS if: 
  • You are in your 1st year of Medicare Part B participation.
  • Your practice falls below the low patient volume threshold with Medicare billing charges less than or equal to $90,000 or if you provide care to 200 or less Medicare patients annually, or if you provide less than or equal to 200 covered services.  

Annual Security Risk Assessment requirement

As a healthcare organization and a covered entity under HIPAA law, conducting an annual Security Risk Analysis is a best practice. By conducting annual Security Risk Assessments you can receive larger reimbursements for your medicare billing under MACRA/MIPS.  In order to adhere with MIPS requirements, an attestation for the security risk assessment and proof to show compliance is required.  This security risk assessment must include all devices (Including Medical Devices), connecting interfaces, and other systems involved in creating, storing, transmitting, and receiving patient data.  You must file an Evidence of Compliance report and keep it on file for 6 years in order to meet the MIPS compliance requirement. This report must include dates, user and computer information, and other source material to support your compliance activities

What are the consequences? If you do not conduct and properly document your Security Risk Assessment and remediation plan for risks identified, it'll cost you!  Aside from not receiving a reimbursement at all, you may receive a bad score for MIPS reimbursement overall.  

Learn how to conduct a Medical Device Security Risk Assessment at our next HIPAA Happenings!

View the recorded replay of the Medical Device Risk Assessments webinar 

Who should conduct your Security Risk Assessment?

For those of you who are eligible, you may be wondering if you can conduct your own risk assessment, or what the best steps are when it comes to fulfilling this requirement.  While there are tools available to you such as the Self assessment tool provided by the Office for Civil Rights and the NIST platform, you may not have the staff, knowledge or resources to complete this process. These tools can be difficult to use with no prior experience and may result in an incomplete analysis.  You may also be interested to know that third party assessments are seen as more reliable than self assessments since they are done by an unbiased party.



How do you implement a value-based care model? 

MIPS is a huge legislative change to Medicare Access and CHIP Re-authorization Act of 2015. You provide valuable care to your patients, so how can you align with this value-based care model?  Begin by selecting a tool to identify your target patient population.  Your existing Electronic Health Records (EHR) program can probably assist with this process.  Analytic software is available to assist in this process as well.   

Target populations will have certain care patterns and insurance coverage.  Use this information to estimate what services will change.  Consider how you will allocate staff to support this model, and the roles and responsibilities of each doctor and their team under this new model.  Your current team may need to be reallocated to meet the needs of this new patient care model.  Consider how frequently you will need to coordinate target patient communication and the appropriate visit schedule to attain the new patient care goals. 

You can offset costs associated with this new care model by eliminating other costs. This may involve partnering with local hospitals, practices or urgent care centers to offer better transitional care to your patients.  By meeting patient needs through this more efficient model, cost of care per patient should go down. 



24By7Security, Inc. is a premier National Cybersecurity and Compliance consulting firm. We are Cybersecurity & Compliance specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

Related posts

February, 20 2024
January, 23 2024
January, 16 2024

Comments are closed.

How the FDA and NIST are Improving Cybersecurity in Healthcare IoT
Invoice Scams - The New Emerging Threat in Cybersecurity
Subscribe to our Blog!