4/27/2018
1
Med. Part B Reimbursement Issues, New Regulations, and continued fines, penalties, and other issues.
MACRA, MIPS AND HIPAA SLIPSMACRA, MIPS AND HIPAA SLIPS
Discussion Points
MACRA – Effect on ReimbursementThe Quality Payment Program MIPS, APMs, Virtual GroupsWhat to expect going forward
4/27/2018
2
MACRA Overview
Quality
Advancing Care Information
Improvement Activities
Cost
There are many changes to MACRA/MIPS, are you ready for those changes?
4/27/2018
3
A Quality Payment Program
Advanced Alternative
Payment Models (Advanced APMs)
Merit-basedIncentive Payment
System(MIPS)
Major Provisions
Eligibility
Performance Categories & Scoring
Data Submission
Performance Period & Pay Adjustments
4/27/2018
4
Provision 1: Eligibility
MIPS Eligibility(Participants & Non-participants)
PARTICIPANTS INCLUDEPhysicians (MD/DO and DMD/DDS)Physician’s AssistantsNurse PractitionersClinical Nurse SpecialistsCertified Registered Nurse Anesthetists
4/27/2018
5
MIPS Eligibility(Participants & Non-participants)
NON-PARTICIPANTS INCLUDE First year of Medicare Part B participationBelow “low volume threshold”Medicare billing charges of less than/equal
to $90,000 or provide care for 200 or fewer Medicare patients in one year
Certain participants in Advanced Alternative Payment Models
Non-participants
MIPS DOES NOT APPLY
TO HOSPITALS OR
FACILITIES
4/27/2018
6
Provision 2: Performance Categories & Scoring
Quality 50%
Advancing Care Info 25%
Improvement Activities 15%
Cost 10%
MIPS – Performance Categories Overview
A single MIPS composite performance score will factor in performance in 4 weighted performance categories on a 0-100
point scale
4/27/2018
7
MIPS – Performance Categories Overview
Quality Measures for 2018 are available in the MACRA 2018 Final Rule
Clinicians can still choose the measures on which they’ll be evaluated.
50%
MIPS – Performance Categories Overview
Will compare Costs used to treat similar care episodes and clinical condition groups across practices
Can be risk-adjusted to reflect external factors
10%
4/27/2018
8
MIPS – Performance Categories Overview
MIPS – Performance Categories Overview
4/27/2018
9
2020 Performance CategoryWeights for MIPS
Provision 2: Performance Categories & Scoring
4/27/2018
10
Quality Performance Category
Selection of 6 of 271 quality measures
Full year of quality measure data required. No more 90 day period, or single quality measure reporting allowed.
1 quality measure must still be:
If no Outcome Measure is available for your specialty or practice, then 2 High Priority Measures are required
Quality Performance Category
4/27/2018
11
Quality Performance Category
2017 Quality Performance RulesKey Changes From 2017 Quality Performance Category
Now required to do a full year of reporting on quality measures
Year 2 (2018) Weight: 50% of final score
Some measures may be topped out and thus be “capped” at lesser points
Scoring Methodology for Quality
2017 Quality Performance RulesSelect your choice of 6 measures from the approximately 271 available quality measures
(full year now required)
o Or a specialty seto Or CMS Web Interface measureso Remember that not all EMR/EHR’s have the ability
to collect and report on all 271 measures. o Check with your EMR/EHR company before choosing
your measures
4/27/2018
12
Scoring Methodology for Quality
2017 Quality Performance Rules
o Bonus points are availableo Clinician must now report on a full year of
quality datao Must meet case volume criteria in order to
receive more than 3 points
Scoring for Quality(50% of Final Score)
2017 Quality Performance Rules
All reporters (individual, groups, or virtual groups regardless of specialty or practice size) are combined into one benchmark
4/27/2018
13
Scoring for Quality(50% of Final Score)
2017 Quality Performance Rules
o Need at least 20 reporters that meet the following criteria:o Meet or exceeds the minimum case volume (has
enough data to reliably measure)o Meets or exceeds data completeness criteriao Has performance greater than 0 percent
o Not all measures will have a benchmark. If there is no benchmark, then a clinician only receives 3 points.
MIPS Scoring for Quality
2017 Quality Performance Rules
4/27/2018
14
Provision 2: Performance Categories & Scoring
Cost Category
2017 Quality Performance Rules
Year 2 Weight: 10%
CMS calculates based on claims, so there are no reporting requirements for clinicians
Cost category is still weighted at 0% for MIPS APMS because many MIPS APMs incorporate cost measurements in other ways
Medicare Spending per Beneficiary (MSPB) and Total Per Capita Cost are the only two Cost Measures for 2018
Episode-based measures are coming in future years. CMS will give confidential performance feedback on these measures this year
4/27/2018
15
Provision 2: Performance Categories & Scoring
Advancing Care Information Category
2017 Quality Performance Rules
Key changes from Current Program (EHR Incentive):
Dropped “all or nothing” threshold for measurement
Removed redundant measures to alleviate reporting burden
Eliminated Clinical Provider Order Entry and Clinical Decision Support objectives
Reduced number of required public health registries to which clinicians must report
Missouri still does not have one of the registries up and running
Year 2 Weight: 25%
4/27/2018
16
Advancing Care Information Category
2017 Quality Performance Rules Key things to remember for ACI in 2018
90 day reporting for ACI still allowed for individual, group and virtual groups.
May continue to use EHR/EMR certified to 2014 edition, but should prepare to use EHR/EMR certified to 2015 edition in future years
Provision 2: Performance Categories & Scoring
4/27/2018
17
Improvement Activities Category
2017 Quality Performance Rules Key things to remember for IA in
2018
90 day reporting for IA still allowed for individual, group and virtual groups.
Small practices, rural practices, and non-patient facing clinicians only need to do 1 high weighted, or 2 medium weighted to reach 40 points.
All others must do 2 high weighted or 4 medium weighted to get to 40 points
Year 2 Weight: 15%
Data Submission
4/27/2018
18
Data Submission
2017 Quality Performance Rules Key things to remember for data submission in 2018 Do not have to use the same
submission mechanism to report all categories.
Cost will be reported by Administrative claims only
Data SubmissionAvoiding Downward Adjustment (2018)
What is a required for data submission to avoid downward adjustment?• Must have a MIPS overall score of 15%, was 3%.
• Can meet this standard by just attesting Improvement Activities category• However, just doing this will get clinican only a
“neutral” adjustment.• Quality data required for full year• Improvement Activities for 90 days• Advancing Care Information for 90 days• The more points you have in these categories, the higher your
MIPS score and the better chance for positive Med Part B reimbursement %.
4/27/2018
19
Calculating the Composite Performance Score for MIPS
MIPS• Weights of each performance
category• Quality lowered to 50%• Advancing Care still 25%• Cost now 10%• Improvement Activities is still
15%• Exceptional performance bonuses
still available• Availability and applicability of
measures for different specialties of clinicians still available
Calculating the Composite Performance Score for MIPS
MIPS• Group and virtual group
performance scores – individual clinician scores are averaged together to get group score
• Special circumstances for small practices, rural practices, and non-patient facing MIPS eligible clinicians
4/27/2018
20
Calculating the Composite Performance Score for MIPS
The CPS will be compared to the MIPS performance threshold to determine the adjustment percentage the eligible clinician will receive.
Calculating the Composite Performance Score for MIPS
50%
4/27/2018
21
Calculating the Composite Performance Score for MIPS
10%
Calculating the Composite Performance Score for MIPS
Targeted review based on 2018 MIPS performance
4/27/2018
22
Discussion Points
Fines for noncomplianceWhat is needed forcomplianceBreaches, past andcurrentWhat to expect
HIPAA Overview
Confidentiality of PHI
Training
Risk Analysis / Walkthroughs
Documents in HIPAA required format
4/27/2018
23
The Auditors Are Coming! Are You Ready?
The Auditors Are Coming! Are You Ready?
Random HIPAA Audits Now
HHS/OCR plans to increase the number of auditsand auditors over the next several years.
The Office of Inspector General has asked HHS/OCR to “Fully implement a permanent audit program.”
4/27/2018
24
Random HIPAA Audits Now
The average fine handed down last year alone was $1.9 million.
4/27/2018
25
What are the basic HIPAA requirements?
RISK ANALYSIS
& WALKTHROUGH
MANUALHIPAA
TRAININGHIPAA
DOCUMENTS
HIPAA
Basic Requirements:HIPAA Manual
If HHS/OCR audited you tomorrow and you didn’t have a HIPAA manual specific to
your practice or hospital’s needs…
your fine could be …
$50,000 - $75,000 or higher
4/27/2018
26
A hospital in Massachusetts paid $850,000
for violating HIPAA
A portion of the fine was for not having a manual specific to
the hospital’s needs.
Basic Requirements:Training
If HHS/OCR audited you tomorrow and you haven’t done HIPAA training on your policies and procedures, and you don’t have
documented proof of your training(s),
your fine could be …
$60,000 - $250,000 or higher
4/27/2018
27
Basic Requirements:Training
Under the rule’s Administrative Safeguard, covered entities, business associates, and subcontractors are required to train their workforce members on HIPAA use and disclosure.
Training must also raise awareness about ransomware and other possible malware attacks on ePHI.
“Workforce members” include employees, volunteers, and trainees.
A dermatology practice in
Massachusetts was fined
$150,000 forHIPPA/HITECH
violations.
4/27/2018
28
Basic Requirements:Risk Analysis
If HHS/OCR audited you tomorrow and you haven’t done a HIPAA risk
analysis/walkthrough of your office with detailed documentation of the walkthrough,
your fine could be …
$75,000 - $500,000 or higher
Basic Requirements:Risk Analysis
Under the Administrative Safeguard, covered entities and business associates must assess potential privacy risks to the confidentiality, integrity, and availability of ePHI.
An effective risks analysis includes:o Identifying ePHI created, received, maintained, or
transmittedo Identifying and documenting places were ePHI is stored
and how it is gathered o Considering likelihood of a threat occurring
4/27/2018
29
Cancer Care Group, a radiation oncology practice, paid $750,000 to settle a HIPAA
violation.
A portion of the fine was for not
conducting any risk analysis.
Basic Requirements:HIPAA Required Documents
If HHS/OCR audited you tomorrow and you didn’t have the necessary documents
that HIPAA requires to show who has access to what medical chart, for example,
your fine could be …
$100,000 - $250,000 or higher
4/27/2018
30
Basic Requirements:HIPAA Required Documents
Risk Management Plan
Notice of Privacy Practices
Business Associate
Agreements
List of Employees and their Access
to SystemsVendor List
This is a non-exhaustive list
Director of the Office for Civil Rights vs.
Lincare, Inc., d/b/a United Medical
The spouse of an employee of Lincare blew the whistle on Lincare’s noncompliance with HIPAA
Lincare was fined $239,000 for having violated HIPAA
4/27/2018
31
What are the basic HIPAA requirements?Recap:
RISK ANALYSIS
& WALKTHROUGH
MANUALHIPAA
TRAININGHIPAA
DOCUMENTS
HIPAA
Software ConcernsHIPAA
Malware
EncryptionDecryption Ransomware
4/27/2018
32
Encryption & Decryption
“Addressable” by the HIPAA Privacy and Security Rules but why risk it?
Encryption Encoded TextDecryption Data un-encryption
Encryption & Decryption
Children’s Medical Center-Dallas• Two unencrypted
devices were reported missing
• $3.2 million fine
Life Insurance Co.• Stolen unencrypted
USB driver• $2.2 million fine
4/27/2018
33
Beware of Ransomwareand Malware
Malware Data Destruction
Ransomware (a form of malware) restricts the user’s access to its systems containing ePHI until a ransom is paid
Nearly 4,000 malware attacks per day
Accounting of Disclosures:Patients’ Rights
Date of Disclosure
Statement of Purpose
Description of the PHI disclosed
Name of entity or person disclosure made to
Statement of Purpose
4/27/2018
34
Accounting of Disclosures:The Numbers
One free request per 12 months
6 years leading up to patient’s request
60 days to provide accounting of disclosures
NoncomplianceWhat Can It Cost You?
NoncomplianceWhat Can It Cost You?
4/27/2018
35
NoncomplianceWhat Can It Cost You?
Individual/entity did not know (and by exercising reasonable diligence would not have known) that he/she/it violated
HIPAA.
$100 – $1.5 MILLION PER VIOLATION
NoncomplianceWhat Can It Cost You?
HIPAA violation due to reasonable cause and not due to willful neglect
$1000 – $1.5 MILLION PER VIOLATION
4/27/2018
36
NoncomplianceWhat Can It Cost You?
HIPAA violation due to willful neglect but violation is corrected within the
required 30 day time period
$10,000 – $1.5 MILLION PER VIOLATION
NoncomplianceWhat Can It Cost You?
HIPAA violation is due to willful neglect and is not corrected
$50,000 – $1.5 MILLION PER VIOLATION
4/27/2018
37
What can noncompliance cost you?Recap:
Did not know and would not have not have known $100 – $1.5 M
Due to reasonable cause and not due to willful neglect $1,000 – $1.5 M
Due to willful neglect but violation is corrected within required 30 days
$10,000 – $1.5 M
Due to willful neglect and is not corrected $50,000 – $1.5 M
The type of violation and the frequency of violations are predominate factors
in the amount of any fine.
4/27/2018
38
Fines Levied in Recent Months
Affinity Health Plan paid over $1.2 million for violating HIPAA.
4/27/2018
39
University of Mississippi
Medical Center paid $2.75 million
for multiple alleged HIPAA
violations.
Oregon Health & Science
University paid $2.7 million for
widespread HIPAA
vulnerabilities.
4/27/2018
40
Advocate Health Care, the largest integrated healthcare system in Illinois, was hit with the biggest HIPAA fine to date for a single entity.
This is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule, (2003), in some instances.
$5.5 million fine$5.5 million fine
Memorial Healthcare Systems, paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of HIPAA.
MHS suffered a breach of over 115,000 patient records that were impermissibly disclosed by employees of MHS.
4/27/2018
41
Local Breaches Over the YearsLocal Breaches Over the Years
Fresenius Medical CareBreaches throughout locations in Florida, Alabama, Arizona, Georgia, and Illinois due to failure to conduct risk analysis, impermissible disclosure of ePHI, failure to implement policies and procedures for data storage, and failure to implement encryption.
Memorial Health Center115,1143 patients affected due to impermissible access and disclosure to affiliated physician office staff.
Primary Health Care, Inc: (Iowa)10313 patients affected due to unauthorized access/disclosure from email.
John J. Pershing VA Medical Center: 1843 patients affected due to unauthorized access/disclosure of paper/films.
North Texas Medical Center: 3350 patients affected due to unauthorized access.
Union Lake: 3350 patients affected due to Improper Disposal.
Breaches: Across the Country
4/27/2018
42
Decatur County General Hospital: 24000 patients affected due to hacking of a network server.
Rocky Mountain Women’s Health Center, Inc: 1166 patients affected due to improper disposal of paper/films.
Oklahoma St. Uni. Center for Health Sciences: 279,865 patients affected due to hacking of the network server.
Breaches: Across the Country
Breaches: Across the Country
Penn Medicine: 1050 patients affected due to theft of a laptop.
Charles River Medical Associates, PC: 9387 patients affected due to loss of a portable electronic device.
Onco360 & CareMed Specialty Pharmacy: 53,173 patients affected due to a Hacking/IT Incident to email.
4/27/2018
43
Breaches: Across the Country
Steven Yang, D.D.S., Inc: 3202 patients affected due to theft of a laptop.
Zachary E. Adkins, DDS: 3677 patients affected due to theft of a portable electronic device.
Robert Smith DMD, PC: 1500 patients affected due to hacking of network server.
Alicia Ann Oswald: 800 patients affected due to unauthorized access of email.
What is the effect of noncompliance?
Cost:
o Fines – like we saw previously
o Mitigating the risks
• Average cost to mitigate is $402 per effected individual patient
o Reputation
4/27/2018
44
What is the effect of noncompliance?
Corrective Action Plan:
o HHS could require you to agree to a corrective action plan
• Spells out what you are required to change, do, etc., to get back into compliance
• Frequent reviews of changes during plan
Security & Risk Analysis(Assessments)
4/27/2018
45
321
Assessments:Examples of 3 Sections
Administrative
Physical
Technical
ImplementationSpecification
Required/Addressable
Risk AssessmentQuestions
Risk1(not a risk) – 5 (Risk)
PolicyPolicy in Place: YNeed Policy: Y
Assigned To:
RISK Analysis Required
Do you keep an updated inventory of hardware and software owned by the practice?
If yes, then on this scale you’d put a 1. If no, than a 5. If you have one but its outdated then it might be a 2-4.
Is there a policy in place for a list like this? If yes, say yes. If no, say no, but document what you are doing to obtain one, etc.
This should be assigned to your HIPAA Coordinator (i.e., Privacy/Security Officer)
Can you identify all of the locations where PHI is located? (i.e., desktops, iPads, etc.)
If yes, then on this scale you’d put a 1. If no, then a 5. If you know where some of it is located, but not sure where others are located, then a 2-4 might be put here.
Again, if yes, then say yes here. If no, then say no, but document what you are doing to ensure that you are aware of everywhere PHI is located
This should be assigned to your HIPAA Coordinator (i.e., Privacy/Security Officer)
Security Risk AnalysisAdministrative Safeguards
4/27/2018
46
HIPAA & MACRA Together
Under the Advancing Care Information Category for MIPS compliance under MACRA a clinician, group, or virtual group, must attest to having conducted or reviewed a Security Risk Analysis within the performance period.
• Failure to do can cause your MACRA score to be lower – leading to potentially lower or negative Med Part B adjustments
If you or any member of your medical staff violate HIPAA,
it can cost you:
$$$$, your practice, or
even result in lower or negative Med Part B
reimbursement.
Noncompliance With HIPAA Can Cost You!
4/27/2018
47
QUESTIONS
HIPAA