CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

May 2, 2016 David Holtzman

The Centers for Medicare & Medicaid Services (CMS) is proposing changes to how the Medicare program provides incentives and bonuses that could be paid to physicians and other clinicians beginning in 2017. The changes are being proposed to implement mandates set by Congress in the 2015 legislation known at the “Doc Fix” that eliminated the annual Medicare Sustained Growth Rate (SGR) payment adjustments and sunsetting financial penalties for clinicians not meeting Meaningful Use requirements after 2018. The publication of the MIPS/MACRA proposed rule on May 9, 2016, in the Federal Register will start the customary 60-day public comment period which would be scheduled to end July 8th.

The main thrust of the proposed rule is to revamp how clinicians that treat Medicare beneficiaries are paid, moving away from the fee-for-service system that rewards the volume of services provided to other payment models that incentivize quality of patient care, measuring outcomes and information sharing enabled through health IT. The MIPS/MACRA proposed rule will largely end the Meaningful Use EHR Incentive Program for eligible providers by folding the incentives (but not the penalties) for using certified electronic health record systems into the Merit-based Incentive Payment System. The proposed rule does not change how hospitals participate in the Meaningful Use program or their measures and objectives.

The MIPS/MACRA proposed rule will score clinicians on a number of metrics on how they use their EHR. The proposed rule making would carry over the current privacy and security objectives for Eligible Providers. Like in Meaningful Use, MIPS/MACRA would require participants to attest that they are performing an information security risk assessment on their CEHRT, including encryption of data and have a risk management plan to correct deficiencies to safeguards for e-PHI identified in the risk assessment. CMS expects organizations participating in MIPS/MACRA to adopt what is equivalent to the Meaningful Use Stage 3 standards in 2018, using EHRs that are certified to ONC’s 2015 Edition standards. For 2017, providers and hospitals could continue to meet the equivalent of Meaningful Use Stage 2+ using an EHR certified to the 2014 or 2015 CEHRT standards.

There will be minor adjustments for clinicians fulfilling MIPS requirements. For example, Meaningful use Stage 3 requires that five percent of patients view, download and transmit their records in 2017, a number that jumps to 10 percent in 2018. But under MIPS, doctors only have to have a single patient hit the measure to get some credit.

Hospital-based physicians will see changes in how the privacy and security requirements are scored for purposes of incentive and bonuses under MIPS/MACRA. CMS has taken the position that hospital-based MIPS eligible clinicians may not have control over the decisions that the hospital makes regarding the use of health IT and certified EHR technology. These MIPS-eligible clinicians therefore may have no control over the type of certified EHR technology available, the way that the technology is implemented and used, or whether the hospital continually invests in the technology to ensure it is compliant with ONC certification criteria. Further, the requirement to conduct a security risk analysis would rely on the actions of the hospital, rather than the actions of the MIPS-eligible clinician, as the hospital controls the access and availability and secure implementation of the EHR technology.

The MIPS/MACRA proposed rule does not signal an expectation of significant new attention to privacy or security of e-PHI. The CMS proposal makes no changes for hospitals participating in the Meaningful Use Program. This proposed rule faces an uncertain future because of the many controversial changes it makes in how physicians and other clinicians would be paid as well as the timing of the proposal so close to the end of the current administration. We will monitor the progress of this proposed rule and what the final form will look like if it is adopted.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Video
Protecting Your Healthcare Organization from Cyber Attacks
Protecting Your Healthcare Organization from Cyber Attacks

In this informative webinar, nationally recognized privacy and security expert Mac McMillan, co-founder and...

Next Article
OCR Issues Two HIPAA Enforcement Actions, Totaling Over $2.9 Million
OCR Issues Two HIPAA Enforcement Actions, Totaling Over $2.9 Million

OCR recently announced two HIPAA enforcement actions with healthcare organizations: Raleigh Orthopaedic Cli...