Ready or Not: CMS rolls out New MACRA Rule, Factors HIPAA Compliance into New Payment Structure

Zombie Data is proud to announce that HIPAA Security Risk process will handle security risk assessments that will be required of medical practices, under the new MACRA regulation (Medicare Access and CHIP Reauthorization Act), which commences January 1, 2017.

HIPAA Security Risk process helps medical practices comply with HIPAA, and protect their most valuable asset – electronic protected health information (ePHI). The company offers a suite of services, including security risk assessment (SRA), policies and procedures, employee training, live HIPAA consulting, and financial protection.

According to HHS officials, MACRA scoring will depend, in part, on HIPAA compliance and whether medical practices perform a thorough SRA. HIPAA Security Risk will help medical practices understand MACRA scoring as it relates to HIPAA privacy and security, and perform SRAs to make sure doctors have taken proper steps to protect their ePHI across their entire IT network. For example:

  • HIPAA Security Risk process will guide physicians in locating where all ePHI is stored, whether it’s in the cloud or on servers, desktops, laptops or mobile devices. While the majority of ePHI may be stored in their EHR system, the SRA will also reveal if patient information is stored in Word documents in the form of patient letters, Excel spreadsheets in the form of billing reports, scanned images of Insurance Explanation of Benefits (EOB), and any other sources. An SRA always needs to be performed, regardless of where ePHI is located.
  • HIPAA Security Risk process will analyze how patient information is being protected, i.e., back up processes, procedures in place for disaster recovery, and how do deal with lost/ stolen laptops containing ePHI. The SRA will also review procedures for minimal level of access to ePHI by employees, plus termination procedures when employees leave.
  • HIPAA Security Risk process will counsel physicians on having a response plan in case a breach does occur, and help implement that plan in the event of a breach. The plan must specify who will be on the response team, what actions the team will take to address the breach, and the steps they’ll take to prevent another breach from occurring. The SRA will make sure a plan exists and all employees are trained in how to respond.

MACRA, established by the Center for Medicare and Medicaid Services (CMS), ties medical reimbursements to improved care and better outcomes for patients, while lowering costs. Fees paid to physicians will be scored based on performance and quality metrics, all in an effort to move to value based care.

Initially physicians can see their payments vary by +/- 4% based on their MACRA scores. By 2020 payments will vary by +/- 9%.

In particular, physicians who participate in the MACRA Merit-Based Incentive Payment System (MIPS) will be scored on their extensive use of their EHR systems over time. To earn any score they’ll need to prove that their ePHI is being protected. Failure to safeguard ePHI with the proper IT security controls will result in zero scores, which could have a material impact on the MACRA fee adjustment, and overall Medicare reimbursement.

About Zombie Data/HIPAA Security Risk

Zombie Data was originally founded to work clients on their Data Strategy and Business Intelligence solutions.  While working with several Medical and Health Insurance related clients we recognized a need for a service to perform an independent HIPPA Security Risk Assessment, which also satisfies Meaningful Use and MACRA requirements, as well as privacy and security policies and procedures, and training. We have brought together best practices and a focus on providing those solutions for the advancement of medical practices’ cybersecurity awareness and compliance. For more information visit