The Connection Between MIPS (Medicare and Medicaid Incentive Programs) and HIPAA
CMS (Centers for Medicare and Medicaid Services) inappropriately paid $729.4 million in Meaningful Use incentives to healthcare providers over a three-year period due to the providers’ errors. These errors are a result of providers not being able to support their attestations of completing the measures and objectives as decided in the 2015 EHR Incentive Programs Final Rule. A couple examples of these attestations include completing the Security Risk Assessment and protecting electronic Protected Health Information (ePHI)). MIPS is a “pay-for-performance” program and it is independent of macroeconomic factors, upon which the earlier physician payment system was based. In order to qualify for MIPS, the healthcare entity must make a switch from paper records to electronic records.
Healthcare providers can choose from the Advanced Alternative Payment Models (APM) or MIPS, but most providers will choose MIPS. You should choose APM if 20% of your patients have Medicare or if 25% of your patients are Medicare reimbursables. You are eligible for MIPS if you bill more than $30k per year, provide care to 100 or more patients, and you are a physician, physician assistant, nurse practitioner, clinical nurse specialist, or a certified registered nurse anesthetist. You must start the paperwork between 1/1/2017 – 10/2/2017 and send in performance data by 3/31/2018. There will be a ninety-day attestation period in 2017 and payment adjustments for switching from paper to electronic records go into effect on 1/1/2019. If you do not participate, the result is a negative 4% adjustment in Medicare payments.
There are two options for reporting Advancing Care Information. Option 1 is the Advancing Care Information Objectives and Measures with 22 available reportable measures (7 are required including the security risk assessment). You can report the Advancing Care Information Objectives and Measures if you have technology that is certified to the 2015 edition or if you have a combination of technologies from the 2014 and 2015 editions that support these measures. Option 2 is the 2017 Advancing Care Information Transition Objectives and Measures with 13 available reportable measures (4 are required including the security risk assessment). You can report the 2017 Advancing Care Information Transition Objectives and Measures if you have technology that is certified to the 2015 edition or if you have technology certified to the 2014 edition or if you have a combination of technologies from the 2014 and 2015 editions.
Complementing MIPS with HIPAA brings about better patient engagement. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals, encrypted text messages, and email products. Because of this, patient engagement tools sent electronically by regular (encrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare, HIPAA has enacted rules by which PHI can be sent by encrypted electronic transmission. Advancing Care Information of MIPS requires a HIPAA Security Risk Assessment, similar to the Meaningful Use clause. That is the strong link between MIPS and HIPAA. What if you don’t have CEHRT? You can apply for a Hardship Exception if you do not have CEHRT. Simply lacking CEHRT does not qualify the MIPS-eligible clinician or group for reweighting though. CEHRT is required for participation in the advancing care information performance category.
If you do have CEHRT, you must now conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR 164.308 (a)(1). Doing so will lead to securing ePHI for your Covered Entity or Business Associate. You must then conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must also address the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Then, you must implement security updates as necessary and correctly identify security deficiencies as part of the MIPS eligible clinician’s risk management process.