Data Security Now Part of Medicare Reimbursement Requirements

The Medicare Access and CHIP Reauthorization Act (MACRA) mandates the performance and maintenance of the information security risk assessment as part of Medicare reimbursement criteria.

As reported in a recent article in, the Merit Based Incentive Payment System (MIPS) under MACRA requires group practices to update the assessment to security risks and document steps taken to mitigate those risks.

The MIPS reimbursement scheme has four components.  The security risk assessment requirement falls within the Advancing Care Information (ACI) category.  The ACI category accounts for 25% of reimbursement.  Failure to conduct, maintain and document the assessment can cost a practice 25% of its Medicare payments.

Data Security Now Part of Medicare Reimbursement Requirements

The security assessment requirement is not new.  It has been a HIPAA compliance requirement for 12 years and was also required in the Centers for Medicare and Medicaid Services (CMS) Electronic Health Records Meaningful Use (MU) program.  As reported by Liz Hansen, an expert in the field, many practices attested to conducting the risk assessment when they had not done so.  The false attestation, Health Data Management reports, was the biggest cause of failing an MU audit and having to return funds.

Under MACRA, the failure to truthfully attest to the risk assessment requirement could do more than reduce Medicare reimbursement.  It could put a practice at risk to financial penalties for HIPAA non-compliance in a MIPS audit.

There are many resources to help a practice conduct and update a risk assessment.  Relying on an IT vendor alone, however, is not enough.  The assessment has to apply to the IT environment actually used by the practice and be informed by regulatory requirements.  It is not too late to address the risk assessment status of your practice.  Compliance is a process, not a destination.

Has your practice conducted its annual security risk assessment?  Has your practice kept records of its risk assessments?  Has your practice created a plan for addressing any addressable risks? To discuss this issue or create a plan for your organization, contact the Ezold Law Firm at 610-660-5585 or complete our online inquiry form.