Before MACRA/MIPS, HIPAA enforced Meaningful Use requirements for healthcare practices and organizations that wanted to receive Medicare reimbursements. A number of things were required – one was an annual HIPAA Risk Analysis.
Today, Meaningful Use has been replaced by MACRA/MIPS. Some mistakenly believe that a HIPAA Security Risk Analysis is no longer required. This isn’t so. It is necessary and if conducted properly, and effective security protection is implemented, you can raise your MIPS score and avoid negative Medicare payment adjustments.
Why Is A HIPAA Security Risk Analysis Mandatory Each Year?
MACRA/MIPS rules change every year. However, these rules are basic requirements that must always be met.
You must undergo a HIPAA Security Risk Analysis to maximize your MIPS score and avoid negative Medicare payment adjustments.
Most clinicians are subject to MIPS.
How Do You Raise Your MIPS Score?
This is what you need to know.
Your 2018 MIPS score is divided into four categories:
- Quality (50 Points) MIPS begins to pay for this in 2019.
- Cost (10 Points)
- Improvement Activities (15 points)
- Promoting Interoperability (25 points) This is where the HIPAA Security Analysis is required.
Based on a MIPS Composite Performance Score, clinicians will receive +/- or neutral adjustments up to the percentages below.
(Courtesy of CMS.gov)
Promoting Interoperability replaces Advancing Care Information from last year, and it is the category that requires the HIPAA Security Risk Analysis.
Promoting Interoperability includes a:
- Base score,
- Performance score, and
- Bonus score.
The base score is 50% of your overall Promoting Interoperability score. Several base score measurements are required. One requires a HIPAA Security Risk Analysis.
To receive a 50% base score, you must meet the requirements of ALL the base score measures. If you don’t meet these requirements, YOU”LL RECEIVE A 0 SCORE for overall Promoting Interoperability.
In other words: Not performing a Security Risk Analysis results in a zero-base score, a zero-performance score and a meager overall Promoting Interoperability score. Because this represents 25% of your total MIPS score, your reimbursement rate will be lower.
Best practices dictate that you contact an IT Service Company that’s experienced in performing a Security Risk Analysis.
And remember: A Security Risk Analysis is always required for HIPAA compliance. This is regardless of whether you receive reimbursements from Medicare:
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.
What’s Involved In A HIPAA Security Risk Analysis?
There Are 9 Elements:
1. Scope of the Analysis
The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.
2. Data Collection
An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by reviewing past and existing projects; performing interviews; reviewing documentation, or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented.
3. Identify and Document Potential Threats and Vulnerabilities
Organizations must identify and document reasonably anticipated threats to e-PHI. Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also recognize and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.
4. Assess Current Security Measures
Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used correctly.
The security measures implemented to reduce risk will vary among organizations. For example, small organizations tend to have more control within their environment. Small organizations tend to have fewer variables (i.e., fewer workforce members and information systems) to consider when making decisions regarding how to safeguard e- PHI. As a result, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability and integrity of e-PHI in a small organization may differ from those that are appropriate in large organizations.
5. Determine the Likelihood of Threat Occurrence
The Security Rule requires organizations to take into account the probability of potential risks to e-PHI. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”
The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization.
6. Determine the Potential Impact of Threat Occurrence
The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two approaches to measuring the impact on the organization.
The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization.
7. Determine the Level of Risk
Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and the resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.
The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level.
8. Finalize Documentation
The Security Rule requires the risk analysis to be documented but does not require a specific format. The risk analysis documentation is a direct input to the risk management process.
9. Periodic Review and Updates to the Risk Assessment
The risk analysis process should be ongoing. For an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct a continuous risk analysis to identify when updates are needed. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.
Remember… Your business associates must also be HIPAA Compliant. Global Data Systems Is not only HIPAA Compliant but is experienced in conducting HIPAA Security Risk Analyses.
Performing a risk analysis is something a knowledgeable IT professional should do. The team at GDS understands HIPAA, MIPS and other requirements and can help your practice maintain compliance and remain eligible for the highest Medicare Reimbursement Rates.
For more information or a complimentary consult, contact us at in Pembroke, Massachusetts at (888) 849-6818 or at www.GDSCONNECT.COM