Regulatory burdens on small practices and solo providers have never been greater, including MIPS/MACRA, HIPAA, patient-centric engagement, as well as the need to comply with fee-for-service and value-based care contract requirements. In this blog, we will focus on the reduced regulatory burden for MIPS and how a systematic approach will help you to reduce HIPAA compliance.
What is a Small Practice?
CMS considers a small practice to include solo practitioners and practices with 15 or fewer providers who bill under the same Tax Identification Number (TIN). The CMS Participation Status Tool indicates whether clinicians have small practice special status.
CMS has simplified reporting for small practices this year so it is easier to earn 15 MIPS points and avoid a negative 5% payment adjustment in 2020. There are a variety of strategies a small practice can utilize to obtain 15 points without spending a lot of time and resources on reporting.
More Clinicians Are Exempt:
CMS increased the low volume threshold to exclude more clinicians from MIPS reporting requirements. Eligible clinicians or groups are exempt if they have less than or equal to $90,000 in Medicare Part B allowed charges for covered professional services OR see 200 or fewer Medicare Part B patients. Providers can check the CMS Participation Status Tool to find out if they are required to report this year.
Small Practice Bonus:
Small practices will have 5 bonus points added to their final MIPS score if they submit data in at least one MIPS performance category.
3 Point Minimum Score for Quality Measures:
Small practices will continue to receive at least 3 points for Quality measures, even if they do not meet the data completeness requirements. Therefore, you can report 6 quality measures on at least 1 eligible patient to earn 15 points for the Quality category.
Hardship Exception for Promoting Interoperability (formerly ACI):
Clinicians and groups can apply for a hardship exception, based on being a small practice, to have the Promoting Interoperability category reweighted to 0. The 25% weight would be reallocated to the Quality category. Small practices would need to submit a hardship exception application to CMS by December 31, 2018.
Double Points for Improvement Activities:
Small practices must only complete 1 high-weighted Improvement Activity or 2 medium-weighted Improvement Activities for a minimum of 90 days to receive the full 15 points for this category.
Virtual Group Reporting:
CMS is giving solo practitioners or groups of 10 or fewer the option to join a “virtual group” to report MIPS with other practices. Providers do not need to be in the same specialty or location to form a virtual group. Since providers must elect the MIPS virtual group option prior to the start of the performance period, they can no longer form groups for 2018 MIPS reporting. However, those interested in participating in a virtual group for the 2019 performance period would need to make the election by December 31, 2018.
One of the complexities of HIPAA compliance is that it’s not always clear what’s mandatory and what isn’t. You’ll notice that certain implementation standards are designated as required, while others are called “addressable.” Avoiding violations is best done through a systematic approach.
Use a HIPAA-Compliant Electronic Health Record (EHR or EMR):
HIPAA makes insurers and providers responsible for protecting patient information. Many providers like the idea of using web-based or cloud-based EMR. Web and cloud-based EMR remove some of the burdens from the provider. However, more layers mean more room for mistakes. Therefore, it’s vital to make sure your EHR or EMR software is HIPAA compliant, and that it’s clear who will be responsible in the event of a breach.
HIPAA Covered Entities Must Have a National Provider Identifier (NPI):
The NPI, used for transmitting medical data, helps to prevent mistakes like mixing up information about two people or practices with the same name. Every individual provider (type 1 NPI) and organization (type 2 NPI) must have their own unique National Provider Identifier. Covered organizations include HMOs, health insurance companies, employer-sponsored health plans, and government programs that pay for health care.
Protect Your Patients’ PHI (Private Health Information):
The Privacy Rule states how entities may use patients’ personally identifiable health information. Also, it states that patients have the right to know about and control these uses. The rule also specifies that entities must request and disclose only the minimum necessary amount of PHI to accomplish any given purpose (the “minimum disclosure principle”).
Lockdown Your Electronic Medical Information:
The HIPAA Security Rule sets national standards for protecting patients’ private medical information. Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to data that your organization transfers, receives, or maintains electronically. The HHS has a risk assessment tool that can help you to find and fix any flaws in your patient information security system. In addition, the HHS website has a series of papers to help your organization better understand the security rule and comply with it.
Know how to handle PHI Breaches by the Book:
A PHI breach is a release of private patient information that violates the Privacy Rule. The HIPAA Breach Notification Rule requires healthcare organizations to notify individuals of a breach within 60 days. If the breach affects more than 500 individuals, the organization must also notify prominent media outlets in their state. In certain cases, the organization must also notify the HHS Secretary. The Breach Notification Rule is complex, so know it before you have to deal with it.
Laws protecting patients’ private health information are complicated. But they’re there for a reason. Your organization strives to provide the best service possible. And that includes safeguarding patients’ data privacy as well. Study the rules. Make sure all of your employees, subcontractors, and business associates know them as well. Have patient notification procedures. And set up procedural, technical, and physical safeguards that will make privacy and security routine. And document everything.