HIPAA and MACRA – What you need to know

HIPAA and MACRA/MIPS 2018 – What you need to know
As we move into the second half of the year, many practices and physicians are starting to consider the data they will need to submit under the MACRA/MIPS program. The MACRA/MIPS rules change slightly every year, and this year is no exception. Even though the rules have been adjusted, a basic requirement remains in place: You will need to perform a HIPAA Security Risk Analysis in order to maximize your MIPS score and avoid negative Medicare payment adjustments.
For many, the above is all you need to know. But for those that are interested in further explanation, see below:

Your 2018 MIPS score is divided into four categories:

  • Quality (50 Points)
  • Cost (10 Points)
  • Improvement Activities (15 points)
  • Promoting Interoperability (25 points)


Promoting Interoperability replaces Advancing Care Information from last year, and it remains the category that involves the HIPAA Security Risk Analysis

Promoting Interoperability has a base score, a performance score and a bonus score

  • The base score is 50% of the overall Promoting Interoperability score

There are several base score measures that are required. One of them is the requirement to perform a HIPAA Security Risk Analysis. You’ll need to meet the requirements of all the base score measures in order to receive the 50% base score. If these requirements are not met, you will get a 0 for the overall Promoting Interoperability performance category score.

Conclusion: Not performing an SRA gets a zero base score, a zero performance score and a very low overall Promoting Interoperability score. This represents 25% of your total MIPS score. Best practice would dictate that you have a Security Risk Analysis performed and dated in 2018. Of course, performing a Security Risk Analysis is always required for HIPAA compliance, regardless of whether a practice receives reimbursement from Medicare.