MACRA MIPS Advancing Care Information

MACRA MIPS Advancing Care Information I started this article and previous seminars by referring to MACRA as Medicare’s new payment system. However, that concept is incorrect and an oversimplification of MACRA.  MACRA stands for “Medicare Access and CHIP Reauthorization Act” and while the same will affect how Providers will get paid it is not necessarily a payment system.  Medicare considers MACRA a Quality Program and refers to MACRA as their Quality Payment Program.  At this point in time I feel comfortable writing that MACRA is a data collection initiative from Medicare that uses a bonus program as an incentive to get Providers to participate. Using the data collection and bonus as a starting point is easy to visualize two separate possibilities for participation which Medicare refers to them as tracks. One of these tracks requires the participant to submit data and assume risks as it relates to patient’s behavior and outcomes. This first track is known as the Advanced Alternative Payment Model (APM). The other track is the Merit Based Incentive Payment System (MIPS) which is where most Providers will fall under. MIPS is also divided into four additional categories, most of which resemble, a current program which these categories will be replacing.  For example, Advancing Care Information is similar to the Electronic Health Record Incentive program with its corresponding Meaningful Use Measures and attestation requirements. For example, as part of MIPS and the Advancing Care Information category Providers are required to complete a HIPAA Security Risk Assessment (SRA). This is where things start to get interesting as the guidance requires Providers that decide to participate to submit data for 90 consecutive days. Based on that simple statement, our experience with HITECH audits and discussions we have been having in the field we have come with a set of questions:

• Does the SRA needs to be conducted within the 90-day data collection period?
• Will a SRA outside of these parameters be considered acceptable?

Our opinion is that conducting an SRA before or during the data collection period is a defensible position as the SRA is designed to measure vulnerabilities and actions to take. At the same time, an SRA outside of the data collection period is questionable as not all measures were met within the given time frame. We don’t know which position Government auditors will take but when in doubt always play safe. This basically means that we recommend Providers interested in participating in the “Quality Payment Program” to complete a Security Risk Assessment as early as possible in the year. Another detail that may have been overlooked by many is the data collection period itself. Officially MACRA started Jan 1, 2017. Providers do not have to participate but failure to do so will result in a negative adjustment in their reimbursements. Simplifying the options provided by Medicare we need to consider that at the latest, Providers must start their data collection by October 2, 2017 or they will never be able to get the data for the required 90-day consecutive days. There is quite a lot more to do as it regards MACRA but at the very least consider these two key pieces of information:

• Conduct a Security Risk Assessment as soon as Possible
• Start data collection efforts prior to October 2, 2017