Risk analysis could trip providers up under MACRA

Conducting a careful, detailed review of security gaps now a requirement, says Rob Tennant.


The final version of the rule setting the details of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) imposes new quality measurement and Medicare payment models on physicians that will force them to take on new responsibilities.

MACRA also includes provisions that make changes in previous electronic health records Meaningful Use provisions, and the final version of the rule reflects significant changes from what was originally suggested in the first version of the rule, says Rob Tennant, director of health information technology policy at the Medical Group Management Association, speaking this week at its annual meeting in San Francisco.

The most important changes made by the Centers for Medicare and Medicaid were that it permits providers to select any continuous 90-day reporting period in 2016 and a hardship exemption for physicians who are new to the electronic health record Meaningful Use program and transitioning to the new MIPS program under MACRA, Tennant said.

Also See: Regulatory approach of MACRA aids physician use of EHRs

Tennant emphasized there are four crucial areas to which providers now must pay attention: risk analysis, electronic prescribing, patient access to their data and health information exchange via sending summary of care documents to another provider. Failure to meet these baseline requirements will result in no points being granted to providers, and the point system being used will affect provider reimbursement from Medicare—the more requirements providers meet, the higher their Medicare payments can be.

Conducting a comprehensive risk analysis to identify security vulnerabilities, document improvements and justify why certain improvements were not made is a particularly critical part of complying with the law, Tennant warned. Not conducting a risk assessment is the leading cause of failing an electronic health record Meaningful Use audit. And most small physician practices still do not understand the new rules.

Tennant gave several tips on conducting a risk analysis:
  • Do not assume your software vendor will conduct a risk analysis for you.
  • Talk with colleagues in other practices about how they conducted a risk analysis.
  • Assume you will be audited.
  • Review resources available from MGMA, many other trade associations and the Department of Health and Human Services.
  • Focus on highly vulnerable areas of your practice.
  • Document everything related to the risk analysis.

More for you

Loading data for hdm_tax_topic #better-outcomes...