Lack of security risk assessment could trim Medicare payments
Many physician provider organizations are likely paying short shrift to an important requirement of the Medicare Access and CHIP Reauthorization Act, which could end up costing them a portion of their Medicare reimbursement.
Under MACRA reimbursement schemes, failing to perform and maintain a valid information security risk assessment could end up reducing reimbursements to physician group practices by 25 percent.
That’s because part of the Merit-based Incentive Payment System (MIPS)—one of the payment approaches under MACRA—mandates that physician group practices do an assessment to measure security risks and then document steps to prevent data losses.
Failure to conduct a risk assessment could cost practices 25 percent of their payment under the MIPS program. Practices that say they have done the assessment but are later audited and found to have been untruthful may face stiff penalties for misleading the government on attestations.
The security assessment requirement in MIPS, in effect this year, is empowering federal agencies to require strong security practices in medical groups. That’s important, particularly as healthcare organizations have reported an average of at least one breach per day so far in 2017, according to data from the Ponemon Institute.
The purpose of making the security assessment a required part of MIPS is to finally “prove beyond the shadow of a doubt that you did the best you could” to prevent security breaches, says Joseph Meyer, regional director of risk management and governance for NCC Group, a consultancy.
Until now, many physician practices have done the minimum to secure healthcare information, and many either don’t conduct or don’t update security risk assessments. Many experts say federal pressure will force lax practices to change.
Federal regulations have required healthcare providers to conduct risk assessments for nearly 12 years, and it was one of the many checklist requirements for the Electronic Health Record Meaningful Use program.
However, experts in the field say that many group practices were likely to say they had conducted risk assessments when, in reality, they had not. In some cases, many believed they were attesting to the fact that they met HIPAA requirements; in other cases, they were checking the box to merely get through the application process, thus leaving themselves open to penalties for filing incorrect information.
But failing to have proper security policies and procedures in place has been consequential for many practices, contends Liz Hansen, a consultant specializing in information security. She adds that federal data shows it’s been the single biggest cause of failing an audit of attested meaningful use performance and having to return Medicare payments. “It amazes me that so many years into the program, folks who had been participating in meaningful use never did understand what the requirement was for the risk assessment and did not do it properly,” says Hansen, who advises practices on such assessments.
Going forward, the MIPS reimbursement approach will include meaningful use program requirements into the payment methodology, incorporating them into a category entitled advancing care information (ACI), which will represent 25 percent of the MIPS payment. ACI includes a short list of mandated activities, one of which is the requirement to perform and maintain a valid information security risk assessment.
Practices that haven’t done such an assessment—which also assumes a basic security-assurance capacity—either won’t meet the base score requirement or will have to attest hoping not to get audited. If the security risk assessment isn’t attested as completed and in place, the practice loses out on the entire 25 percent of the ACI component, says Rob Tennant, health information technology policy director for the Medical Group Management Association.
That’s not all. Missing out on a good MIPS score can translate into Medicare payment penalties or a lost opportunity to qualify for bonuses. Beyond that, noncompliant practices might face a bigger consequence—fines that could range into tens of thousands of dollars for noncompliance with HIPAA security regulations in the wake of a MIPS audit.
Until now, risk assessment provisions had received little attention from providers. For the past several years, the focus of meaningful use was on all the clinical and operational uses of IT and not so much on requirements that a provider organization be HIPAA-compliant. Applicants did the bare minimum just to say they were complying, but often weren’t rising to the level of the compliance required, Meyer says.
The demands of implementing an effective security risk assessment are the most difficult for smaller urban or rural practices, which typically have tight margins, Tennant says.
He distinguishes HIPAA security from the related HIPAA privacy protection rules, which have been easier to comply with. That’s because practices now routinely assure privacy in how they work with patients, exchange information and handle patient access to records. Security practices, such as encryption and user authentication, are “complicated and outside the typical area of expertise for the practice,” Tennant adds.
The rapid increase in security and privacy breaches in recent years has raised agency awareness that providers had routinely attested to security provisions in MU, but were not truly in compliance with HIPAA security rules, and they clearly didn’t meet HIPAA standards, says Michael Ebert, cyber healthcare and life sciences leader at KPMG. “CMS has just started figuring out, after years and billions and billions of dollars in meaningful use [incentive payments], that they haven’t done anything with their cyber program.”
Time to act
Part of the government’s effort to highlight better security practices in the healthcare industry is the inclusion of the stronger, more meaningful provisions in the ACI portion of the MIPS program.
While the task is not insurmountable, physician groups that want to avoid losing the ACI portion of their MIPS payments need to act, and quickly.
Practices must formalize a risk analysis that hits the marks for government scrutiny and then schedule ongoing reassessments to ensure the assessment is consistently up to date and has been followed.
A variety of resources are available, from guides on websites of the Office for Civil Rights and Office of National Coordinator to a variety of IT threat-assessment scans, as well as education and guidance from industry associations such as MGMA.
ONC guidance could be particularly useful. Early in the meaningful use program, the agency provided a downloadable simple spreadsheet version of a risk assessment guide, which could give advance warning of where a practice was meeting or failing requirements in areas of administrative, physical and technical security, says Hansen, who used the free tool to help clients pass “hundreds of audits.” ONC now has an online version of the tool, which can be used for security demands of MIPS, she adds.
Tennant advises practices to seek help from their IT vendors but not to rely on them as a substitute for taking responsibility internally. Practices that say they have a risk analysis on file often contend that “my EHR vendor handled that for me,” he says. “But it’s rare that the EHR vendor will know your particular policies and procedures when it comes to employee passwords and physical security and all of the administrative requirements that HIPAA security demands.”
An EHR vendor may provide rock-solid encryption on the server, but HIPAA requirements go beyond using encryption for only the EHR. “That has been the leading challenge when it comes to meaningful use audits,” says Tennant. Practices believe that the risk analysis is focused on the EHR because that’s the focus of meaningful use, he notes.
However, when it comes to electronically held protected health information (PHI), a prime focus of HIPAA’s Title II, EHR vendors are a valuable source of expertise, as are vendors of practice management information systems and whichever claims clearinghouse is transmitting PHI-laced transactions, Tennant advises. Even physicians without an EHR still have to conduct a risk analysis if they do any business using HIPAA-standard electronic transactions such as claims, remittances or claims status, he adds.
Formal actions to take include employing scans of IT infrastructure for vulnerabilities such as the Non-listed Encryption Solution Assessment (NESA) or other available frameworks: NIST 830, ISO 27005, OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), says Chris Gida, NCC Group’s principal security consultant for risk management and governance.
But practices need more security awareness than just conducting technical activities. Meyer of NCC Group says a practice has to understand, for example, who is hosting the patient portal, who is responsible for it, and where the responsibilities lie in other places where PHI is present in practice-based or cloud-based data storage and transmission.
MIPS: no excuses
The transition to the MIPS program doesn’t change anything from a security risk perspective except that the penalties will be steeper for noncompliance, Gida says. “Whether you’re looking at meaningful use or ACI or wherever they create the future from a MIPS standpoint, it’s just, ‘Do a risk assessment.’”
Enforcement of security requirements has evolved, and federal agencies have been ramping up the pressure on providers. It’s only now with MIPS and its specific consequences for lack of security that providers are beginning to take heed, because they’re beginning to realize they could take a big financial hit if they don’t have a security risk assessment and lose the entire ACI portion of their payment as a result, Gida says.
To tackle the security task and other challenges of the MIPS program, “most everyone qualifies for some kind of support” from CMS as well as within professional groups, says Hansen. For example, CMS has separate contracts, for either small or large practices, to pay consulting firms such as still-viable regional extension centers to offer free assistance.
Hansen is a contractor for the Small, Underserved and Rural Support (SURS) program for practices of 15 or fewer eligible providers. Support for practices of 16 or more providers also is available through one of 14 quality improvement organizations making up the Quality Improvement Network.
With the assistance and materials available, physician practices can get their security risk assessment duties accomplished and proceed to the portions of the ACI that rack up points for payment, says Ebert.
“It’s not hard,” he asserts. “The information is out there. Your ability to do that is out there. The knowledge is out there. How can you say, ‘I didn’t know’? The time for that is well past.”