If you are a healthcare provider that accepts Medicare, then you have likely seen and heard the acronyms MACRA, MIPS, and EHR hundreds of times in 2017.

MACRA establishes a framework to reward physicians for providing higher quality care at lower costs and improving health outcomes for patients—a switch from fee for services to the value-based care model.  One pathway to higher reimbursement is the Merit-based Incentive Payment System (MIPS).

You may have chosen to attest to MIPS for the entire calendar year, or perhaps you are gearing up to begin reporting in the final 90 days of 2017. You also may have chosen to begin reporting in 2018. Whichever path you have selected, are you aware that before medical practices participate in MIPS they must prove that patient health information contained in EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA)?

Buried within MACRA (Medicare Access and CHIP Reauthorization Act) lies a key requirement for eligibility—the security risk assessment (SRA). Failure to perform an SRA could result in zero scores, which would have a substantial impact on the MACRA fee adjustment, and overall Medicare reimbursement.  

Outdated-Healthcare-Security-Banner.jpg

Conducting a comprehensive risk analysis to identify security vulnerabilities, document improvements and justify why certain improvements were not made is a particularly critical part of complying with the law. Yet, many medical practices are guilty of doing a “check the box” SRA and not taking the actual steps to prevent a security breach. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing an electronic health record Meaningful Use audit.

Conducting an SRA is one of the 3 required core measures that must be met starting in 2017. It is part of the Advancing Care Information Performance Category and here is what it says:

Objective: Protect Patient Health Information.

Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Security Risk Analysis Measure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

While that may be quite a bit of technical language to digest, there are three key takeaways from the above:

  1. It’s not enough to assume your software vendor or MSP will conduct a risk analysis for you. There are specific technical, administrative, and physical safeguards that must also be in place.

  2. A risk mitigation plan must be included in the risk assessment. This plan documents all areas that may make your practice vulnerable, and your timeline for correcting them.

  3. The firm performing the security risk assessment must have qualified and verifiable experience conducting security assessments within healthcare regulatory frameworks.

The Office of the National Coordinator for Health Information Technology has made their Security Risk Assessment Tool available online and state that a practice can perform the assessment on their own. While It is possible for small practices to do risk analysis themselves using self-help tools, a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Here are five key reasons why outsourcing the assessment is the best option:

  1. Most practices don’t have the resources or the expertise to conduct a risk assessment. The rules don’t necessarily require third-party risk assessments, but most practices don’t have the resources or expertise for the methodical processes necessary for conducting a risk assessment. Even the use of self-assessment tools, such as the one provided by the ONC, are problematic because these tools are often poorly designed.

  2. An inadequate risk assessment is viewed by auditors as being just as bad as a missing risk assessment. If your assessment has many holes in its scope or process, or you have not created a corrective action plan, it may be viewed similar to not conducting an assessment at all.

  3. A risk assessment is the cornerstone of all your information security activities. It’s a methodical, comprehensive and rigorous process to fully understand potential risks and to document them efficiently. And to provide the information to mitigate those risks to a reasonable and appropriate level.

  4. Third-party risk assessments are seen as more objective and credible by regulators. Self assessments can run into conflicts of interest and often miss major security holes due to staff being to close and familiar with the current situation. The “fresh eyes” of a third-party can overcome this problem.

  5. Why risk missing out on positive payment adjustments or being fined? Hiring a third-party cybersecurity firm to conduct your security risk assessment will set you up for success and prevent running into financial penalties later down the line.

Medical practices must achieve HIPAA compliance and patient data security to begin scoring MACRA points and maximizing reimbursements. Invest in a comprehensive security risk assessment in the first reporting period to avoid failing an audit and risking penalties in the first payment period.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.