Medicare & MACRA/MIPS

The post says MIPS eligible clinicians, groups, virtual groups, and Qualifying Providers could request reweighting of one or more MIPS performance categories to 0% because of COVID-19. It describes both the Extreme and Uncontrollable Circumstances application and the Promoting Interoperability hardship application. Applicants were not required to submit supporting documentation with the application, but had to retain it for possible CMS data validation or audit.

Advancing Care Information was a MACRA category that replaced much of the Meaningful Use attestation structure with a score-based approach. It included base, performance, and bonus score areas, with measures such as protecting patient information, e-prescribing, patient access, summary of care exchange, and registry reporting. The post links the Protect Patient Information measure to completing a HIPAA Security Risk Assessment annually.

The post recommends an analytical approach instead of panic: identify required tasks, determine the practice's current position, decide what can be done, make a plan, and implement it on time. It also recommends confirming whether MACRA applies, using a qualified EHR, completing a HIPAA Security Assessment, reviewing quality measures, fulfilling Advancing Care Information base measures, and reporting data on time.

Effective January 1, 2021, CMS changed Evaluation and Management coding and documentation requirements. The post says new patient coding was limited to four levels, established patient coding remained at five levels, time requirements were revised, and history and exam documentation depended on medical need. Visit level selection could be based on time or medical decision making, supported by clear and consistent documentation.

The post describes Direct Contracting as three voluntary CMS payment model options intended to reduce expenditures while preserving or improving quality for Medicare fee-for-service beneficiaries. Direct Contracting Entities may be standard, new entrant, or high-needs population organizations. The author's interpretation is that these models pay a fixed monthly amount per patient and shift more responsibility for cost of care to primary care providers, making due diligence essential before signing agreements.

CMS extended the 2019 MIPS data submission deadline from March 31, 2020 to April 30, 2020. MIPS eligible clinicians who did not submit data by the new deadline qualified automatically for the extreme and uncontrollable circumstances policy and received a neutral 2021 payment adjustment. Clinicians who submitted data by April 30 were scored and received a payment adjustment based on that submission.

The post describes CMS programs as starting with incentives, moving to payment reductions for nonparticipation, and then exposing participants to audits, fines, and penalties if they attested but did not comply. Examples include e-prescribing, Meaningful Use, PQRS, Value-Based Purchasing, and HIPAA enforcement. The author warns that providers trying to comply may still face major penalties if documentation and security obligations are not met.

The post summarizes remarks from CMS Administrator Seema Verma that emphasized value-based care, tracking improvements in quality, accountability for cost and quality, and coordinated preventive care. It predicts movement from fee-for-service toward capitation or fixed monthly payments with risk sharing. The author also notes potential Stark Law changes, greater outcome tracking, and more aggressive chronic condition management.

The post says practices were facing higher patient deductibles, lower reimbursement, rising overhead, new legislation, technology requirements, and ICD-10 pressure. Some colleagues were moving toward concierge medicine, diversification, or higher patient volume. The author favors a hybrid approach based on location, specialty, and demographics, combined with ancillary products or services and a stronger hospitality-style patient experience.

The post says physicians were reconsidering Medicare and insurance plans and looking again at cash-based models with concierge or hybrid features. The author describes a return to direct payment at reasonable prices, with patients becoming more willing to ask for the service. He recommends analyzing geography, risk, compliance requirements, market demand, and price before launching a cash or concierge product.

The post frames Medicare cuts, HIPAA, Meaningful Use, HIPAA 5010, ICD-10, and audit initiatives as survival pressures rather than ordinary business changes. It recommends learning the rules, using expert help, implementing efficient technology, staying nimble, reviewing costs and fee schedules, identifying a niche, considering in-house services or concierge models, evaluating equipment opportunities, and securing cash for contingencies.

Using assumptions in the post, Taino estimated that a primary care provider generating $60,000 per month with 60% Medicare patients could lose about $38,000 per year if no MACRA data were submitted. A specialist generating $100,000 per month could lose about $64,000 per year. The calculation was based on CMS guidance that no data submission could trigger a 4% negative payment adjustment.

The post identifies MACRA, business planning, marketing, and security as major priorities for 2018. Practices seeing Medicare patients needed to report 2017 measures before March 31, 2018 and begin tracking 2018 data. The author also recommends developing a business plan, improving visibility through a website and social networks, and completing annual HIPAA Security Risk Analysis because audits and MACRA scoring depend on it.

The post says CMS offered a compromise rather than a delay for ICD-10 implementation. Medicare would not deny claims solely because diagnosis codes lacked specificity if the codes were in the appropriate family, and would not audit based only on specificity during the first year. CMS also planned advance payments if contractors could not process ICD-10 claims and an ICD-10 Ombudsman office to help physicians resolve problems.

The post says October 3, 2019 was the last day to start the required 90-day performance period for Promoting Interoperability and Improvement Activities. Promoting Interoperability counted for 25% of the total quality score. Clinicians also had to answer yes to the Prevention of Information Blocking attestation, ONC Direct Review attestation, and security risk analysis measure, with false attestation described as fraud.

The post breaks MACRA into Advancing Care Informatics or Innovation, Quality Reporting, Clinical Practice Improvement Activities, and the Value Based Modifier. Advancing Care Information carried a strong HIPAA Security component, Quality Reporting required at least six measures, Improvement Activities required four activities for 90 days, and the Value Based Modifier was calculated from claims. The recommended early action was a HIPAA Security Risk Assessment.

The post lists January 1, 2017 as the start of data collection, March 31, 2018 as the data submission due date, and January 1, 2019 as the payment adjustment date. It also summarizes MIPS as Quality Reporting at 60%, Advancing Care Information at 25%, Clinical Practice Improvement Activities at 15%, and Resource Use or Cost at 0 for that period.

The post says CMS released a new Quality Payment Program data submission system on January 2, 2018 for 2017 MIPS data, with submissions open through March 31, 2018. Clinicians used EIDM credentials, connected to their practice Taxpayer Identification Number, and could report as a group or individual. The portal provided real-time initial scoring and saved data automatically.

The post quotes CMS guidance that MACRA repealed the Sustainable Growth Rate formula and changed how Medicare rewards clinicians for value over volume. It also streamlined multiple quality programs under MIPS and gave bonus payments for participation in eligible alternative payment models. The post separately notes that MACRA required removal of Social Security numbers from Medicare cards by April 2019.

The post recommends completing a yearly HIPAA Security Risk Analysis, ideally through an outside agency, and protecting patient information through HIPAA Security policies, procedures, and training. It also recommends becoming proficient with the hardware and software needed to report data to CMS. Providers working with other practices should be careful because an overall score can affect payment adjustment and bonus eligibility.

The post says the 2019 eligible clinician category was modified to include physical therapists, occupational therapists, qualified speech-language pathologists, qualified audiologists, clinical psychologists, and registered dietitian or nutritional professionals. It also notes changes in category weights, with quality decreasing and cost increasing. The post warns that the 2019 score could move payments by 7% in either direction.

The post says conducting the Security Risk Assessment before or during the 90-day data collection period is a defensible position because the assessment identifies vulnerabilities and required actions. An assessment outside the data collection period is described as questionable because not all measures may have been met in the required timeframe. The recommendation is to complete the assessment as early as possible in the year.

The post says many eligible providers still did not understand MACRA even though their 2017 performance would affect payment. It cites research from the American Medical Association and KPMG finding that 92% of the polled population was not really knowledgeable about MACRA. The author notes that providers had choices, such as selecting 6 of 271 quality measures and 4 of 93 improvement activities, but still needed a HIPAA Security Risk Assessment.

The post says MACRA implementation would not be delayed, although providers would have flexibility in their level of participation during the 2017 calendar year. It also says MACRA was passed with bipartisan support, so there was no indication it would be eliminated after the election. Providers who failed to report at least one measure or activity faced the full 4% negative Medicare payment adjustment.

The post describes MIPS as a model where eligible clinicians receive payment adjustments based on a composite score across quality, Advancing Care Information, clinical practice improvement activities, and cost or resource use. Advanced Alternative Payment Models are described as higher-risk models with greater profit potential, similar to capitated contracts where overruns in patient care become the responsibility of the organization or clinician.

The post says MIPS includes Quality, Advancing Care Information, Improvement Activities, and Cost. Quality could include up to six measures, including an outcome measure, while Advancing Care Information required base measures such as Security Risk Analysis, e-prescribing, patient access, and summary of care exchange. Improvement Activities allowed attestations for selected activities, and Cost required no submission because CMS used claims data.

The post says the new Quality Payment Program would transition Medicare eligible professionals away from Medicare Meaningful Use, but penalties for Medicare clinicians would not end until the end of 2018 for performance year 2016. It also warns that HITECH audits could continue for any audited year as long as the audit did not exceed six years from the records being reviewed.

The post warns that submitting a Meaningful Use attestation and receiving payment does not mean the provider complied with the rules. It describes ongoing Meaningful Use audits and OIG audits that found billing errors and inadequate controls. The author recommends third-party review of compliance programs and coding, certified coders when appropriate, and proactive audit preparation.

The post says all covered entities must conduct a risk assessment under 45 CFR 164.308(a)(1)(A), and Meaningful Use Stage I Core Objective 15 made risk assessment part of attestation. Failure to complete it could mean the provider did not meet Meaningful Use and may have to return incentive money. The post also warns that willful neglect can trigger a minimum $50,000 penalty per incident.

The post says Protect Patient Health Information became Objective 1 in the modified Stage 2 comparison and remained tied to conducting a security risk analysis and implementing security updates as needed. It also shows that many earlier Stage 1 objectives were no longer separate objectives. The author highlights the security objective because it is normally linked to HIPAA Security requirements.

The post says CMS moved to a 90-day reporting period regardless of stage and placed all providers into Stage 2 or modified Stage 2. Core and menu measures were replaced by 10 objectives, patient engagement thresholds were reduced, and several data-entry requirements were removed. Stage 3 became optional in 2017, and CMS needed to incorporate the changes into its attestation systems.

The post says Stage 3 would include eight objectives for eligible professionals, hospitals, and critical access hospitals. More than 60% of the proposed Stage 3 measures required interoperability, compared with 33% in Stage 2. CMS also finalized the use of application programming interfaces to support new functionality, bridge systems, and increase patient access to health records.

The post says Stage 1 Meaningful Use had 25 objectives specific to eligible professionals. To qualify for an incentive payment, eligible professionals had to meet all 15 core objectives and 5 of the 10 menu objectives, for 20 total objectives. The core set included items such as CPOE, e-prescribing, demographics, clinical summaries, electronic information exchange, and security risk analysis.

The post says the first step for Meaningful Use was using a certified EHR, but additional office tasks and procedures also had to change. A Stage 1 certified EHR did not guarantee Stage 2 compliance because Stage 2 redefined certified EHR technology. Providers needed to understand the requirements, plan implementation, and use EHRs certified under Stage 2 requirements for 2014 qualification.

The post lists required documentation for 2016 Medicaid Meaningful Use attestation, including a summary volume report, Meaningful Use reports for all measures including clinical quality measures, an Additional Documentation form, a vendor letter showing access to the 2014 certified edition, and a HIPAA Security Risk Analysis. It also notes that the EHR reporting period had to fall within January 1 through December 31, 2016.

The post says Medicare changes beginning January 1, 2026 included new conversion factors of $33.57 for QPs and $33.40 for non-QPs, plus a -2.5% efficiency adjustment for many non-time-based services. It also describes a shift favoring non-facility settings, virtual direct supervision using real-time audio and video, and a $2,100 Medicare Part D out-of-pocket prescription drug cap.

The post says MIPS was expected to cover Quality Reporting, Value Based Modifier, Advancing Care Informatics or Innovation, and Clinical Practice Improvement Activities. Quality reporting required six measures out of more than 200 possible measures, and Clinical Practice Improvement Activities required enough activity points to reach 60. Advancing Care Informatics included pass-fail objectives, immunization registry reporting, and a required security attestation.

The post says MACRA created MIPS and incentive payments for eligible alternative payment models beginning in 2019. It describes MIPS as replacing the Sustainable Growth Rate formula and integrating portions of PQRS, EHR Meaningful Use, and value-based payment modifiers. The author recommends that providers become familiar with MACRA and begin considering how it could affect services and future payments.

The July 2016 post says MIPS was budget neutral and could move clinicians from a 4% reduction to a 4% increase in the first payment year. It also lists maximum negative adjustments increasing over time: 4% in 2019, 5% in 2020, 7% in 2021, and 9% in 2022 and after. CMS would begin tracking measures in January 2017, with payment effects beginning in 2019.

The post defines Medicare Risk Adjustment as adjusting payments based on enrollee health status and demographics. The goal is to reflect the patient's healthcare needs, so an enrollee with multiple chronic conditions can generate a higher risk score and higher payment for care. The post connects MRA to value-based care because compensation depends on documented conditions that support risk codes.

The post cites an OIG report finding that some Medicare Advantage prior authorization denials and claim-payment denials met traditional Medicare coverage or plan billing rules. It also discusses ghost networks, where directory listings make coverage appear available even when providers do not exist or are unavailable. Payment disputes, administrative burden, and complex regulatory requirements contribute to hospitals and providers dropping some Medicare Advantage plans.

The post recommends first determining whether the provider falls under the Qualified Provider category and whether any exemption applies, such as first-year Medicare Part B participation, low billing charges, fewer than 100 Medicare patients, or Advanced Payment Model participation. It also recommends deciding whether MIPS or APM applies, reviewing prior performance against the first quarter, and completing the HIPAA Security Risk Assessment and attestation.

The post explains that SAFER Guides provide practical recommendations for improving EHR safety, security, and resilience across domains such as authentication, access control, audit controls, data integrity, and contingency planning. A Security Risk Analysis is broader and evaluates risks across the whole healthcare organization, including threats to patient information, infrastructure, and operations. The post treats them as complementary but distinct requirements.

The post says a signed record should not be overwritten, backdated, deleted, or obscured. Corrections should be made as a clearly labeled addendum or late entry, with the current date and time, author signature, and reference to the original entry. The gold standard described is completion as soon as practicable, ideally within 24 to 72 hours, because late changes face heavier audit scrutiny.

The post says audit trails must track the identity of the user who made changes, log the date and time of those changes, and preserve the original entry. Without audit trails, even a legitimate correction can appear fraudulent. Audit trails are especially important when records are modified after signing because transparency protects billing integrity, legal defensibility, and patient safety.

The post says CMS uses MIPS data validation audits to verify the accuracy and completeness of data submitted by MIPS participants. Clinicians may be randomly selected each year and asked to provide evidence such as patient charts, encounter details, quality metric records, and other support for reported data. Missing deadlines or failing to provide documentation can lead to penalties or adverse payment adjustments.

The post says a Security Risk Analysis is the baseline for many audits, and an independent expert can help identify blind spots that internal staff may miss. It also notes that internal pressure can lead to understated findings and that auditing agencies may view independent assessments more favorably. The author recommends pairing the assessment with a security management plan, calendar, training schedule, and policy review.

The post says CMS subcontractor audits by Figliozzi and Company had focused on one year and all core and menu objectives. OIG audits were described as potentially covering three years and a selection of measures. The OIG also targeted state Medicaid programs and announced nationwide multiyear audits, with unsupported incentives returned to the government and potential fraud referred for investigation.

The post says providers must use certified EHR technology meeting 45 CFR 170.315 criteria and submit the EHR CMS identification code. They must submit required measure data for at least 180 consecutive days and attest to interoperability, ONC Direct Review, Security Risk Analysis, and SAFER Guides requirements. For 2024, the post lists category weights of Quality 40%, Promoting Interoperability 25%, Improvement Activities 15%, and Cost 20%.

The post says the 2013 budget proposal was expected to cut more than $360 billion from Medicare, Medicaid, and other healthcare programs over 10 years. The author argues that Medicare-dependent practices face higher audit risk and heavier compliance standards while also dealing with HIPAA 5010 and ICD-10. Practices needed to learn the rules, comply, reduce exposure, understand customers, and adapt their business model.

The post says Amendment 4507 of the Balanced Budget Act of 1997 allows certain physicians and practitioners to opt out of Medicare and enter private contracts with Medicare beneficiaries if specific requirements are met. Opting out means Medicare will not cover services from that individual, and the decision applies to all covered services and beneficiaries for at least two years. The provider must file an affidavit, use private contracts, and avoid Medicare claims for those services.

The post says CMS added the High Priority Practices SAFER Guide measure under the Protect Patient Health Information objective starting in calendar year 2022. MIPS eligible clinicians reporting Promoting Interoperability must complete the annual self-assessment checklist and attest yes to earn more than 0 in that category. The post emphasizes that SAFER Guide completion is independent from the HIPAA Security Risk Analysis.

The post says The Villages Health filed for Chapter 11 in July 2025 after facing over $360 million in Medicare overpayments tied to systemic documentation and coding errors. The organization self-reported issues after an internal review found diagnoses submitted without proper clinical support. Many chart amendments were made after the CMS 90-day deadline or listed diagnoses without active symptoms, evaluations, or treatments.

The post says CMS uses MEAT criteria to decide whether a diagnosis is valid for Medicare Advantage payment support. MEAT means the condition was monitored, evaluated, assessed or addressed, or treated during the encounter. A diagnosis should be current, discussed during a face-to-face or approved telehealth visit, and tied to care decisions; otherwise it may be excluded from risk adjustment and recouped in an audit.

The post explains that MIPS gives eligible clinicians a final score from 0 to 100 based on Quality, Promoting Interoperability, Improvement Activities, and Cost. That score determines whether the clinician receives a positive, neutral, or negative adjustment to Medicare Part B reimbursement. The program is intended to push providers toward high-quality, efficient, patient-centered care and value-based payment.