The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 4, 2024

As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology while ensuring that your top priority of patient care never falls behind.

Despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. Providers are rewarded for going the extra mile thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law. 


What is MIPS?

 You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might already be a participant in it.

Whether it’s a Quality Payment Program or new legislation passed into law, the government continually emphasizes the importance of being proactive rather than reactive and providing incentives for doing so.

This is why it’s valuable to know whether your organization is eligible to participate in government programs (you can check here).

Many of these different program requirements align with the standards your practice already has to meet under HIPAA law—protecting your patients, checking off compliance requirements, and receiving incentives can often be done all in one stride.

 To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program. The Centers for Medicare and Medicaid Services (CMS) uses this system to measure eligible clinician performance and reward high-value, low-cost care.

MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories:

  • Quality: The type of care you deliver based on specific measures of performance.
  • Promoting Interoperability: Focuses on patient engagement and electronic exchange of information using Electronic Health Record (EHR) technology to improve patient access to their health information and exchange of information between providers.
  • Improvement Activities: Your participation in clinical activities that work towards improving care coordination and patient engagement and safety.
  • Cost: Assesses the cost of care you provide in relation to your Medicare claims.


The Importance of the Security Risk Analysis (SRA)

Before you can engage with the various performance measures, you must first meet a prerequisite for participating in the MIPS Promoting Interoperability performance category. This requirement is crucial not only for achieving HIPAA compliance but also for benefiting from other government incentives: the Security Risk Analysis (SRA).

Conducting an SRA involves evaluating any potential risks to your organization’s electronic Protected Health Information (ePHI) and implementing necessary security updates and safeguards to address any identified vulnerabilities.

Your organization must complete an SRA at least once a year to comply with MIPS and HIPAA standards. Additionally, it’s important to review and update the assessment regularly throughout the year to reflect any changes in your processes.


Getting Compliant for MIPS

Beginning your compliance journey can be overwhelming, but it is essential to take advantage of government initiatives such as MIPS. Intelligent software solutions can help keep your practice on track by outlining the requirements for HIPAA compliance and offering a streamlined SRA that meets MIPS standards.

To learn more about how to become compliant for MIPS, schedule a meeting with a compliance expert today.

 

RECENT POSTS

Related posts

The Price of Delay: A Costly HIPAA Lesson
Fines, HIPAA

The Price of Delay: A Costly HIPAA Lesson

December 2, 2024 No comments yet

December 2, 2024   Over a million dollars in HIPAA fines have been levied in the past few months, and like this winter’s snow, the fines continue to pile up, with a $100,000 fine recently announced.  Last week, Rio Hondo Community Mental Health Center, an outpatient program managed by the Los Angeles Department of Health, was fined for a Right of Access violation.  This marks the 51st enforcement of the Right of Access rule, highlighting the importance of handling patient records in a timely manner.    What Happened? A patient requested a copy of their records on March 18, 2020.  As we all know, March 2020 was marked by the beginning of the unprecedented COVID-19 virus, which led to the mental health center’s closure after the Governor of California put into action a “stay-at-home” order.  However, the center reopened at the beginning of May 2020, allowing some staff to return to the facility. While the patient was told her records would be ready at this time, she was misinformed and began the summer with a flurry of calls and other forms of contact to request her medical records.  After her requests were unfulfilled several times, the patient filed a complaint with the Office for Civil Rights (OCR) at the end of August 2020.  The OCR then began investigating the Rio Hondo at the beginning of October. The medical records were finally sent on October 20, 2020, 216 days after the first request.  The Right of Access rule requires Covered Entities to provide patients with their medical records within 30 days of the initial request.  While the medical center was under a “stay-at-home” order during those 30 days, this was still significantly longer than the extension period of an additional 30 days and could have been handled when it was first deemed safe for staff to return to the medical center.  This fine comes after a series of Right of Access fines, including another significant fine of $70,000 imposed at the end of October. The numerous fines issued this past year regarding the Right of Access initiative demonstrate the government’s commitment to this important aspect of patients’ rights.    Protect Your Practice from Costly Mistakes Even during the peak of the global health crisis, HIPAA regulations stayed in effect. Implementing software solutions can help safeguard your practice.  To ensure your staff remains compliant, it is highly recommended to use automated software that keeps you and your team in check, regardless of the circumstances. Schedule a consultation today to learn more about automated compliance for your practice. 

Ransomware HIPAA Fines
Fines, HIPAA

The Price of Neglect: Ransomware Fines Hit Healthcare Practices

November 7, 2024 No comments yet

November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.

Patient Record Access HIPAA Fine
Abyde News, Fines, HIPAA

Expensive Oversight: The Importance of Timely Patient Record Access

October 24, 2024 No comments yet

October 24, 2024 There has been a flurry of HIPAA fines in the past few weeks, with over half a million dollars levied in the last month.  Just one example is Gums Dental Care, LLC, a small dental practice in Maryland that was fined for a Right of Access violation. Right of Access violations, which involve failing to provide medical records in a timely manner, are a common HIPAA mistake. Another violation for this was issued in August.   What Happened?  A patient requested her medical records from Gums Dental on April 8, 2019. After not receiving them, she issued a complaint to the OCR in May 2019. The OCR contacted Gums Dental Care for technical assistance and believed the case was over.  This was just the beginning. This case spanned years, with a second complaint filed in August 2019 and the OCR sending several data requests through letters and calls to Gums Dental.  On October 1, 2020, the OCR sent Gums Dental a proposed resolution agreement and corrective action plan. At the end of the month, Dr. Gums wanted to present her case in front of a judge, believing the patient would commit Medicaid fraud with her records. She also said that the complainant didn’t pay a $25 administrative fee to release the medical records through mail. First, patients should always have access to their medical records, regardless of their reasons. Second, the fee would be waived if the patient requested it digitally, not through mail.   In December 2020, the OCR issued a Letter of Opportunity to Gums Dental. At the beginning of the next year, Dr. Gums once again justified her refusal to provide the records since she believed her patient would commit a crime with them. She also believed her website wasn’t secure enough to send them digitally. However, Gums Dental didn’t attempt to send the records at all.  By the time the Notice of Proposed Determination was sent in March 2022, roughly three years after the first medical record request, Gums Dental faced a Civil Monetary Penalty fine as high as $7,676,692. However, the OCR ultimately levied a $70,000 fine, recognizing the smaller size of the dental practice.    How to Protect Your Practice Common HIPAA fines often involve Right of Access violations. At the federal level, practices are required to provide patients with their medical records within 30 days, and some states have an even shorter timeline. Navigating these unique regulations can be challenging, so having an intelligent solution is crucial. Smart software can streamline compliance for your practice by generating policies and procedures tailored to your needs. These solutions also include access to a team of compliance experts who can help answer your questions and ensure that you are interacting with patients in a HIPAA-compliant manner.  To learn more about software solutions, with a compliance expert here.   

Are you prepared for 2025? Join experts for a live webinar on what to expect and how to navigate HIPAA this coming year.

REGISTER TODAY
X