MACRA, MIPS AND HIPAA SLIPS - Missouri MGMA Conference/Kyle...MIPS – Performance Categories Overview Quality Measures for 2018 are available in the MACRA 2018 Final Rule Clinicians

4/27/2018

1

Med. Part B Reimbursement Issues, New Regulations, and continued fines, penalties, and other issues.

MACRA, MIPS AND HIPAA SLIPSMACRA, MIPS AND HIPAA SLIPS

Discussion Points

MACRA – Effect on ReimbursementThe Quality Payment Program MIPS, APMs, Virtual GroupsWhat to expect going forward

4/27/2018

2

MACRA Overview

Quality

Advancing Care Information

Improvement Activities

Cost

There are many changes to MACRA/MIPS, are you ready for those changes?

4/27/2018

3

A Quality Payment Program

Advanced Alternative

Payment Models (Advanced APMs)

Merit-basedIncentive Payment

System(MIPS)

Major Provisions

Eligibility

Performance Categories & Scoring

Data Submission

Performance Period & Pay Adjustments

4/27/2018

4

Provision 1: Eligibility

MIPS Eligibility(Participants & Non-participants)

PARTICIPANTS INCLUDEPhysicians (MD/DO and DMD/DDS)Physician’s AssistantsNurse PractitionersClinical Nurse SpecialistsCertified Registered Nurse Anesthetists

4/27/2018

5

MIPS Eligibility(Participants & Non-participants)

NON-PARTICIPANTS INCLUDE First year of Medicare Part B participationBelow “low volume threshold”Medicare billing charges of less than/equal

to $90,000 or provide care for 200 or fewer Medicare patients in one year

Certain participants in Advanced Alternative Payment Models

Non-participants

MIPS DOES NOT APPLY

TO HOSPITALS OR

FACILITIES

4/27/2018

6

Provision 2: Performance Categories & Scoring

Quality 50%

Advancing Care Info 25%

Improvement Activities 15%

Cost 10%

MIPS – Performance Categories Overview

A single MIPS composite performance score will factor in performance in 4 weighted performance categories on a 0-100

point scale

4/27/2018

7


Quality Measures for 2018 are available in the MACRA 2018 Final Rule

Clinicians can still choose the measures on which they’ll be evaluated.

50%


Will compare Costs used to treat similar care episodes and clinical condition groups across practices

Can be risk-adjusted to reflect external factors

10%

4/27/2018

8



4/27/2018

9

2020 Performance CategoryWeights for MIPS


4/27/2018

10

Quality Performance Category

Selection of 6 of 271 quality measures

Full year of quality measure data required. No more 90 day period, or single quality measure reporting allowed.

1 quality measure must still be:

If no Outcome Measure is available for your specialty or practice, then 2 High Priority Measures are required


4/27/2018

11


2017 Quality Performance RulesKey Changes From 2017 Quality Performance Category

Now required to do a full year of reporting on quality measures

Year 2 (2018) Weight: 50% of final score

Some measures may be topped out and thus be “capped” at lesser points

Scoring Methodology for Quality

2017 Quality Performance RulesSelect your choice of 6 measures from the approximately 271 available quality measures

(full year now required)

o Or a specialty seto Or CMS Web Interface measureso Remember that not all EMR/EHR’s have the ability

to collect and report on all 271 measures. o Check with your EMR/EHR company before choosing

your measures

4/27/2018

12

Scoring Methodology for Quality

2017 Quality Performance Rules

o Bonus points are availableo Clinician must now report on a full year of

quality datao Must meet case volume criteria in order to

receive more than 3 points

Scoring for Quality(50% of Final Score)


All reporters (individual, groups, or virtual groups regardless of specialty or practice size) are combined into one benchmark

4/27/2018

13

Scoring for Quality(50% of Final Score)


o Need at least 20 reporters that meet the following criteria:o Meet or exceeds the minimum case volume (has

enough data to reliably measure)o Meets or exceeds data completeness criteriao Has performance greater than 0 percent

o Not all measures will have a benchmark. If there is no benchmark, then a clinician only receives 3 points.

MIPS Scoring for Quality


4/27/2018

14


Cost Category


Year 2 Weight: 10%

CMS calculates based on claims, so there are no reporting requirements for clinicians

Cost category is still weighted at 0% for MIPS APMS because many MIPS APMs incorporate cost measurements in other ways

Medicare Spending per Beneficiary (MSPB) and Total Per Capita Cost are the only two Cost Measures for 2018

Episode-based measures are coming in future years. CMS will give confidential performance feedback on these measures this year

4/27/2018

15


Advancing Care Information Category


Key changes from Current Program (EHR Incentive):

Dropped “all or nothing” threshold for measurement

Removed redundant measures to alleviate reporting burden

Eliminated Clinical Provider Order Entry and Clinical Decision Support objectives

Reduced number of required public health registries to which clinicians must report

Missouri still does not have one of the registries up and running

Year 2 Weight: 25%

4/27/2018

16

Advancing Care Information Category

2017 Quality Performance Rules Key things to remember for ACI in 2018

90 day reporting for ACI still allowed for individual, group and virtual groups.

May continue to use EHR/EMR certified to 2014 edition, but should prepare to use EHR/EMR certified to 2015 edition in future years


4/27/2018

17

Improvement Activities Category

2017 Quality Performance Rules Key things to remember for IA in

2018

90 day reporting for IA still allowed for individual, group and virtual groups.

Small practices, rural practices, and non-patient facing clinicians only need to do 1 high weighted, or 2 medium weighted to reach 40 points.

All others must do 2 high weighted or 4 medium weighted to get to 40 points

Year 2 Weight: 15%

Data Submission

4/27/2018

18

Data Submission

2017 Quality Performance Rules Key things to remember for data submission in 2018 Do not have to use the same

submission mechanism to report all categories.

Cost will be reported by Administrative claims only

Data SubmissionAvoiding Downward Adjustment (2018)

What is a required for data submission to avoid downward adjustment?• Must have a MIPS overall score of 15%, was 3%.

• Can meet this standard by just attesting Improvement Activities category• However, just doing this will get clinican only a

“neutral” adjustment.• Quality data required for full year• Improvement Activities for 90 days• Advancing Care Information for 90 days• The more points you have in these categories, the higher your

MIPS score and the better chance for positive Med Part B reimbursement %.

4/27/2018

19

Calculating the Composite Performance Score for MIPS

MIPS• Weights of each performance

category• Quality lowered to 50%• Advancing Care still 25%• Cost now 10%• Improvement Activities is still

15%• Exceptional performance bonuses

still available• Availability and applicability of

measures for different specialties of clinicians still available


MIPS• Group and virtual group

performance scores – individual clinician scores are averaged together to get group score

• Special circumstances for small practices, rural practices, and non-patient facing MIPS eligible clinicians

4/27/2018

20


The CPS will be compared to the MIPS performance threshold to determine the adjustment percentage the eligible clinician will receive.


50%

4/27/2018

21


10%


Targeted review based on 2018 MIPS performance

4/27/2018

22

Discussion Points

Fines for noncomplianceWhat is needed forcomplianceBreaches, past andcurrentWhat to expect

HIPAA Overview

Confidentiality of PHI

Training

Risk Analysis / Walkthroughs

Documents in HIPAA required format

4/27/2018

23

The Auditors Are Coming! Are You Ready?

The Auditors Are Coming! Are You Ready?

Random HIPAA Audits Now

HHS/OCR plans to increase the number of auditsand auditors over the next several years.

The Office of Inspector General has asked HHS/OCR to “Fully implement a permanent audit program.”

4/27/2018

24

Random HIPAA Audits Now

The average fine handed down last year alone was $1.9 million.

4/27/2018

25

What are the basic HIPAA requirements?

RISK ANALYSIS

& WALKTHROUGH

MANUALHIPAA

TRAININGHIPAA

DOCUMENTS

HIPAA

Basic Requirements:HIPAA Manual

If HHS/OCR audited you tomorrow and you didn’t have a HIPAA manual specific to

your practice or hospital’s needs…

your fine could be …

$50,000 - $75,000 or higher

4/27/2018

26

A hospital in Massachusetts paid $850,000

for violating HIPAA

A portion of the fine was for not having a manual specific to

the hospital’s needs.

Basic Requirements:Training

If HHS/OCR audited you tomorrow and you haven’t done HIPAA training on your policies and procedures, and you don’t have

documented proof of your training(s),


$60,000 - $250,000 or higher

4/27/2018

27

Basic Requirements:Training

Under the rule’s Administrative Safeguard, covered entities, business associates, and subcontractors are required to train their workforce members on HIPAA use and disclosure.

Training must also raise awareness about ransomware and other possible malware attacks on ePHI.

“Workforce members” include employees, volunteers, and trainees.

A dermatology practice in

Massachusetts was fined

$150,000 forHIPPA/HITECH

violations.

4/27/2018

28

Basic Requirements:Risk Analysis

If HHS/OCR audited you tomorrow and you haven’t done a HIPAA risk

analysis/walkthrough of your office with detailed documentation of the walkthrough,


$75,000 - $500,000 or higher

Basic Requirements:Risk Analysis

Under the Administrative Safeguard, covered entities and business associates must assess potential privacy risks to the confidentiality, integrity, and availability of ePHI.

An effective risks analysis includes:o Identifying ePHI created, received, maintained, or

transmittedo Identifying and documenting places were ePHI is stored

and how it is gathered o Considering likelihood of a threat occurring

4/27/2018

29

Cancer Care Group, a radiation oncology practice, paid $750,000 to settle a HIPAA

violation.

A portion of the fine was for not

conducting any risk analysis.

Basic Requirements:HIPAA Required Documents

If HHS/OCR audited you tomorrow and you didn’t have the necessary documents

that HIPAA requires to show who has access to what medical chart, for example,


$100,000 - $250,000 or higher

4/27/2018

30

Basic Requirements:HIPAA Required Documents

Risk Management Plan

Notice of Privacy Practices

Business Associate

Agreements

List of Employees and their Access

to SystemsVendor List

This is a non-exhaustive list

Director of the Office for Civil Rights vs.

Lincare, Inc., d/b/a United Medical

The spouse of an employee of Lincare blew the whistle on Lincare’s noncompliance with HIPAA

Lincare was fined $239,000 for having violated HIPAA

4/27/2018

31

What are the basic HIPAA requirements?Recap:

RISK ANALYSIS

& WALKTHROUGH

MANUALHIPAA

TRAININGHIPAA

DOCUMENTS

HIPAA

Software ConcernsHIPAA

Malware

EncryptionDecryption Ransomware

4/27/2018

32

Encryption & Decryption

“Addressable” by the HIPAA Privacy and Security Rules but why risk it?

Encryption Encoded TextDecryption Data un-encryption

Encryption & Decryption

Children’s Medical Center-Dallas• Two unencrypted

devices were reported missing

• $3.2 million fine

Life Insurance Co.• Stolen unencrypted

USB driver• $2.2 million fine

4/27/2018

33

Beware of Ransomwareand Malware

Malware Data Destruction

Ransomware (a form of malware) restricts the user’s access to its systems containing ePHI until a ransom is paid

Nearly 4,000 malware attacks per day

Accounting of Disclosures:Patients’ Rights

Date of Disclosure

Statement of Purpose

Description of the PHI disclosed

Name of entity or person disclosure made to

Statement of Purpose

4/27/2018

34

Accounting of Disclosures:The Numbers

One free request per 12 months

6 years leading up to patient’s request

60 days to provide accounting of disclosures

NoncomplianceWhat Can It Cost You?


4/27/2018

35


Individual/entity did not know (and by exercising reasonable diligence would not have known) that he/she/it violated

HIPAA.

$100 – $1.5 MILLION PER VIOLATION


HIPAA violation due to reasonable cause and not due to willful neglect

$1000 – $1.5 MILLION PER VIOLATION

4/27/2018

36


HIPAA violation due to willful neglect but violation is corrected within the

required 30 day time period

$10,000 – $1.5 MILLION PER VIOLATION


HIPAA violation is due to willful neglect and is not corrected

$50,000 – $1.5 MILLION PER VIOLATION

4/27/2018

37

What can noncompliance cost you?Recap:

Did not know and would not have not have known $100 – $1.5 M

Due to reasonable cause and not due to willful neglect $1,000 – $1.5 M

Due to willful neglect but violation is corrected within required 30 days

$10,000 – $1.5 M

Due to willful neglect and is not corrected $50,000 – $1.5 M

The type of violation and the frequency of violations are predominate factors

in the amount of any fine.

4/27/2018

38

Fines Levied in Recent Months

Affinity Health Plan paid over $1.2 million for violating HIPAA.

4/27/2018

39

University of Mississippi

Medical Center paid $2.75 million

for multiple alleged HIPAA

violations.

Oregon Health & Science

University paid $2.7 million for

widespread HIPAA

vulnerabilities.

4/27/2018

40

Advocate Health Care, the largest integrated healthcare system in Illinois, was hit with the biggest HIPAA fine to date for a single entity.

This is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule, (2003), in some instances.

$5.5 million fine$5.5 million fine

Memorial Healthcare Systems, paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of HIPAA.

MHS suffered a breach of over 115,000 patient records that were impermissibly disclosed by employees of MHS.

4/27/2018

41

Local Breaches Over the YearsLocal Breaches Over the Years

Fresenius Medical CareBreaches throughout locations in Florida, Alabama, Arizona, Georgia, and Illinois due to failure to conduct risk analysis, impermissible disclosure of ePHI, failure to implement policies and procedures for data storage, and failure to implement encryption.

Memorial Health Center115,1143 patients affected due to impermissible access and disclosure to affiliated physician office staff.

Primary Health Care, Inc: (Iowa)10313 patients affected due to unauthorized access/disclosure from email.

John J. Pershing VA Medical Center: 1843 patients affected due to unauthorized access/disclosure of paper/films.

North Texas Medical Center: 3350 patients affected due to unauthorized access.

Union Lake: 3350 patients affected due to Improper Disposal.

Breaches: Across the Country

4/27/2018

42

Decatur County General Hospital: 24000 patients affected due to hacking of a network server.

Rocky Mountain Women’s Health Center, Inc: 1166 patients affected due to improper disposal of paper/films.

Oklahoma St. Uni. Center for Health Sciences: 279,865 patients affected due to hacking of the network server.



Penn Medicine: 1050 patients affected due to theft of a laptop.

Charles River Medical Associates, PC: 9387 patients affected due to loss of a portable electronic device.

Onco360 & CareMed Specialty Pharmacy: 53,173 patients affected due to a Hacking/IT Incident to email.

4/27/2018

43


Steven Yang, D.D.S., Inc: 3202 patients affected due to theft of a laptop.

Zachary E. Adkins, DDS: 3677 patients affected due to theft of a portable electronic device.

Robert Smith DMD, PC: 1500 patients affected due to hacking of network server.

Alicia Ann Oswald: 800 patients affected due to unauthorized access of email.

What is the effect of noncompliance?

Cost:

o Fines – like we saw previously

o Mitigating the risks

• Average cost to mitigate is $402 per effected individual patient

o Reputation

4/27/2018

44

What is the effect of noncompliance?

Corrective Action Plan:

o HHS could require you to agree to a corrective action plan

• Spells out what you are required to change, do, etc., to get back into compliance

• Frequent reviews of changes during plan

Security & Risk Analysis(Assessments)

4/27/2018

45

321

Assessments:Examples of 3 Sections

Administrative

Physical

Technical

ImplementationSpecification

Required/Addressable

Risk AssessmentQuestions

Risk1(not a risk) – 5 (Risk)

PolicyPolicy in Place: YNeed Policy: Y

Assigned To:

RISK Analysis Required

Do you keep an updated inventory of hardware and software owned by the practice?

If yes, then on this scale you’d put a 1. If no, than a 5. If you have one but its outdated then it might be a 2-4.

Is there a policy in place for a list like this? If yes, say yes. If no, say no, but document what you are doing to obtain one, etc.

This should be assigned to your HIPAA Coordinator (i.e., Privacy/Security Officer)

Can you identify all of the locations where PHI is located? (i.e., desktops, iPads, etc.)

If yes, then on this scale you’d put a 1. If no, then a 5. If you know where some of it is located, but not sure where others are located, then a 2-4 might be put here.

Again, if yes, then say yes here. If no, then say no, but document what you are doing to ensure that you are aware of everywhere PHI is located

This should be assigned to your HIPAA Coordinator (i.e., Privacy/Security Officer)

Security Risk AnalysisAdministrative Safeguards

4/27/2018

46

HIPAA & MACRA Together

Under the Advancing Care Information Category for MIPS compliance under MACRA a clinician, group, or virtual group, must attest to having conducted or reviewed a Security Risk Analysis within the performance period.

• Failure to do can cause your MACRA score to be lower – leading to potentially lower or negative Med Part B adjustments

If you or any member of your medical staff violate HIPAA,

it can cost you:

$$$$, your practice, or

even result in lower or negative Med Part B

reimbursement.

Noncompliance With HIPAA Can Cost You!

4/27/2018

47

QUESTIONS

HIPAA