As we move into the second half of the year, many practices and physicians are starting to consider the data they will need to submit under the MACRA/MIPS program. The MACRA/MIPS rules change slightly every year, and this year is no exception. Even though the rules have been adjusted, a basic requirement remains in place:
You will need to perform a HIPAA Security Risk Analysis in order to maximize your MIPS score and avoid negative Medicare payment adjustments.
Interested in a further explanation? See below:
Your 2018 MIPS score is divided into four categories:
- Promoting Interoperability replaces Advancing Care Information from last year, and it remains the category that involves the HIPAA Security Risk Analysis.
- Promoting Interoperability has a base score, a performance score, and a bonus score.
- The base score is 50% of the overall Promoting Interoperability score.
- There are several base score measures that are required. One of them is the requirement to perform a HIPAA Security Risk Analysis. You’ll need to meet the requirements of all the base score measures in order to receive the 50% base score. If these requirements are not met, you will get a 0 for the overall Promoting Interoperability performance category score.
Conclusion: Not performing an SRA gets a zero-base score, a zero-performance score and a very low overall Promoting Interoperability score. This represents 25% of your total MIPS score. Best practice would dictate that you have a Security Risk Analysis performed and dated in 2018. Of course, performing a Security Risk Analysis is always required for HIPAA compliance, regardless of whether a practice receives reimbursement from Medicare.