CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

May 2, 2016 David Holtzman

The Centers for Medicare & Medicaid Services (CMS) is proposing changes to how the Medicare program provides incentives and bonuses that could be paid to physicians and other clinicians beginning in 2017. The changes are being proposed to implement mandates set by Congress in the 2015 legislation known at the “Doc Fix” that eliminated the annual Medicare Sustained Growth Rate (SGR) payment adjustments and sunsetting financial penalties for clinicians not meeting Meaningful Use requirements after 2018. The publication of the MIPS/MACRA proposed rule on May 9, 2016, in the Federal Register will start the customary 60-day public comment period which would be scheduled to end July 8th.

The main thrust of the proposed rule is to revamp how clinicians that treat Medicare beneficiaries are paid, moving away from the fee-for-service system that rewards the volume of services provided to other payment models that incentivize quality of patient care, measuring outcomes and information sharing enabled through health IT. The MIPS/MACRA proposed rule will largely end the Meaningful Use EHR Incentive Program for eligible providers by folding the incentives (but not the penalties) for using certified electronic health record systems into the Merit-based Incentive Payment System. The proposed rule does not change how hospitals participate in the Meaningful Use program or their measures and objectives.

The MIPS/MACRA proposed rule will score clinicians on a number of metrics on how they use their EHR. The proposed rule making would carry over the current privacy and security objectives for Eligible Providers. Like in Meaningful Use, MIPS/MACRA would require participants to attest that they are performing an information security risk assessment on their CEHRT, including encryption of data and have a risk management plan to correct deficiencies to safeguards for e-PHI identified in the risk assessment. CMS expects organizations participating in MIPS/MACRA to adopt what is equivalent to the Meaningful Use Stage 3 standards in 2018, using EHRs that are certified to ONC’s 2015 Edition standards. For 2017, providers and hospitals could continue to meet the equivalent of Meaningful Use Stage 2+ using an EHR certified to the 2014 or 2015 CEHRT standards.

There will be minor adjustments for clinicians fulfilling MIPS requirements. For example, Meaningful use Stage 3 requires that five percent of patients view, download and transmit their records in 2017, a number that jumps to 10 percent in 2018. But under MIPS, doctors only have to have a single patient hit the measure to get some credit.

Hospital-based physicians will see changes in how the privacy and security requirements are scored for purposes of incentive and bonuses under MIPS/MACRA. CMS has taken the position that hospital-based MIPS eligible clinicians may not have control over the decisions that the hospital makes regarding the use of health IT and certified EHR technology. These MIPS-eligible clinicians therefore may have no control over the type of certified EHR technology available, the way that the technology is implemented and used, or whether the hospital continually invests in the technology to ensure it is compliant with ONC certification criteria. Further, the requirement to conduct a security risk analysis would rely on the actions of the hospital, rather than the actions of the MIPS-eligible clinician, as the hospital controls the access and availability and secure implementation of the EHR technology.

The MIPS/MACRA proposed rule does not signal an expectation of significant new attention to privacy or security of e-PHI. The CMS proposal makes no changes for hospitals participating in the Meaningful Use Program. This proposed rule faces an uncertain future because of the many controversial changes it makes in how physicians and other clinicians would be paid as well as the timing of the proposal so close to the end of the current administration. We will monitor the progress of this proposed rule and what the final form will look like if it is adopted.

Previous Article
An Ounce of Prevention: How Penetration Testing Can Benefit Your Organization
An Ounce of Prevention: How Penetration Testing Can Benefit Your Organization

What is a penetration test, and what does it do for your organization? What information can be generated by...

Next Article
OCR Issues Two HIPAA Enforcement Actions, Totaling Over $2.9 Million
OCR Issues Two HIPAA Enforcement Actions, Totaling Over $2.9 Million

OCR recently announced two HIPAA enforcement actions with healthcare organizations: Raleigh Orthopaedic Cli...

×

Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Company
Thank You!
Error - something went wrong!