All healthcare providers that accept Medicare or Medicaid patients have heard of MACRA (Medicare Access and CHIP Re-authorization Act), a reward-based financial reimbursement program for providers that deliver a higher quality of care and increased positive patient health outcomes at lower costs. That’s where MIPS – Merit-based Incentive Payment System – comes in and our best tip for earning the points you need to get a full reimbursement.
MIPS has four connected pillars that affect how you will be paid by Medicare – Quality, Clinical Practice Improvement Activities (referred to as “Improvement Activities”), Certified EHR Technology (referred to as “Advancing Care Information”), and Resource Use (referred to as “Cost”). This structure was deliberately created to ensure that clinicians have flexibility to focus on measures that are the most relevant to them and their practices. In order to receive the 50 percent base score in the Advancing Care Information, MIPS eligible clinicians must be able to say that they have completed a Security Risk Analysis (SRA) measure.
What many providers don’t realize, however, is that BOTH the technology AND non-technology elements need to be reviewed in a true SRA. This includes cybersecurity setup and management as well as facility policy/procedures of the healthcare provider.
A True SRA
Consequently, there is still some confusion in the provider community on what exactly constitutes a thorough Security Risk Analysis. A true HIPAA-required risk analysis includes a risk assessment of Patient Healthcare Information (PHI), review of facility policies and procedures, employee interviews for a HIPAA-HITECH audit, a thorough analysis of operational threats, and more.
In the Advancing Care Information score, clinicians must submit a yes or no response to the question about conducting an SRA. If you were to answer “no” to security risk assessment, you would get a zero for that objective and would not earn any points for Advancing Care Information. As a reminder, if you do not fulfill the base score, you will not be able to earn a performance score or a bonus score.
Learn more about our required Security Risk Assessments for MACRA and MIPS in our upcoming Webinar: The Key to Healthcare Risk Management.