We’ve talked before about HIPAA showing up in lots of other places. That trend continues. Now, you will see HIPAA questions on cyber security insurance applications, certification programs from other entities, and now in payment model reforms. Today we are going to talk a little bit about MACRA and HIPAA requirements. If you don’t know what MACRA, APMs, and MIPS is all about we may not cover enough to explain it all be we will certainly touch on how MACRA and HIPAA crossing paths starting in 2017.


Description from CMS

MACRA creates new ways for the federal Medicare program to pay physicians for the care they
provide to Medicare beneficiaries. MACRA also creates incentives for physicians to participate in Alternative Payment Models (APMs), and it specifically encourages the development of physician-focused payment models (PFPMs).

The Quality Payment Program makes Medicare better by helping you focus on care quality and the one thing that matters
most – making patients healthier. The Quality Payment Program ends the Sustainable Growth Rate formula and gives you new tools, models, and resources to help you give your patients the best possible care. You can choose how you want to take part based on your practice size, specialty, location, or patient population.

HIPAA For MSPs by David Sims How MACRA & HIPAA Cross Paths
00:00:00 00:00:00

The Quality Payment Program has 2 tracks you can choose from:

  1. The Merit-based Incentive Payment System (MIPS)
  2. Advanced Alternative Payment Models (APMs)

APMs Overview

This options uses ACO and AHC models where other orgs are involved in setting the plans and the payment controls.


1 of the 3 requirements is the program must Provide payment for covered professional services based on quality measures comparable to those used in the quality performance category of the Merit-based Incentive Payment System (MIPS);

Certain APMs include MIPS eligible clinicians as participants which means there will be cross over of MACRA and HIPAA within the MIPS and the APMs.  🙂

MIPS Overview

MIPS participation requires specific objectives be met. One of them is an SRA, who would have thought it!?  This is where MACRA and HIPAA crossed paths.

It is a core measure that you must complete in your base score. There are not any additional performance scores based on how well you are doing at it though just that you are doing it.

Where MACRA and HIPAA meet

There are 5 required core measures to meet. 2 of them are being postponed for 2017. SRA is one of the 3 that must be met starting in 2017. It is part of Advancing Care Information Performance Category Scoring Methodology Advancing Care Information Objectives and Measures and here is what it says:

Objective: Protect Patient Health Information.

Objective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical, administrative, and physical safeguards.

Security Risk Analysis Measure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by CEHRT in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.


We proposed that a MIPS eligible clinician must meet this objective and measure to earn any score within the advancing care information performance category. Failure to do so would result in a base score of zero under either the primary proposal or alternate outlined proposal, as well as a performance score of zero (discussed in section II.E.5.g. of the proposed rule (81 FR 28215) and an advancing care information performance category score of zero.

Comment: Many commenters supported the proposal requiring the Protect Patient Health Information objective and measure in order to receive the full base score and any performance score in the advancing care information performance category.

Response: We agree as we continue to believe that there are many benefits of safeguarding ePHI. Unintended and/or unlawful disclosures of ePHI puts EHRs, interoperability and health information exchange at risk. It is paramount that ePHI is properly protected and secured and we believe that requiring this objective and measure remains fundamental to this goal.

Comment: A few commenters expressed uncertainty about the effectiveness of the Protect Patient Health Information objective and measure in ensuring the security and privacy of patient health information, as well as maintaining doctor-patient confidentiality.

Response: We understand that in some cases this measure may not be enough to protect data as data breaches become more sophisticated. However we continue to believe that widespread performance of security risk analyses on a regular basis remains an important component of protecting ePHI. The measure is a foundation of protection and we expect that individuals and entities subject to HIPAA will also be meeting the requirements of HIPAA.

Comment: Some commenters believed that reporting the Protect Patient Health Information objective and measure is redundant and burdensome, as the security risk analysis and other privacy and security areas are already included under HIPAA requirements.

Response: Yes, we agree that a security risk analysis is included in the HIPAA rules. However, it is our experience that some EPs are not fulfilling this requirement under the EHR Incentive Programs. To reinforce its importance, we are including it as a requirement for MIPS eligible clinicians.

Comment: Some commenters expressed concern that meeting the Protect Patient Health Information objective and measure requirements presents a burden to small group practices, practices in rural settings, new adopters of CEHRT and some MIPS eligible clinicians who experience varying hardships.

Response: We disagree. The HIPAA Privacy and Security Rules, which are more comprehensive than the Advancing Care Information measure and with which certain entities must also comply, have been effective for over 10 years. In addition, the Department of Health and Human Services has produced a security risk assessment tool designed for use by small and medium sized providers and clinicians available at ONC SRA tool and also HHS Security Rule Resources. This tool should help providers and clinicians with compliance and additional resources are also available at HHS Security Rule Guidance. We understand that there are many sources of education available in the commercial market regarding HIPAA compliance.


Comment: Many commenters stated that EHR use could jeopardize patient confidentiality because personal information can be stolen. Some stated that EHRs are a violation of privacy. Others do not want their medical information accessible to the government or third party vendors. Several stated that the proposed rule is contrary to the HIPAA regulations.

Response: We agree that it is important to address the unique risks and challenges that EHRs may present. We maintain that a focus on the protection of ePHI is necessary for all clinicians. We also note that a security risk analysis is required under the HIPAA regulations (45 CFR 164.308(a)(1)).

Comment: A few commenters offered suggestions to modify the Protect Patient Health objective and measure, such as aligning the architecture of CEHRT with the Hippocratic Oath or Start working with Office for Civil Rights (OCR) or the Office of the Inspector General (OIG) to develop additional guidance to physicians regarding privacy practices.

Response: We appreciate this feedback. We will continue to work with the OCR and ONC to develop and refine guidance.

They finalize their discussion about MACRA and HIPAA security risk analysis requirements concerning by confirming that those eligible for MIPS programs are required to attest to their HIPAA SRA.  Many did this already for meaningful use payments.  But, just as with meaningful use when it comes to MACRA and HIPAA, there will be some who will attest without completing the requirement.  In fact, they specifically said so in one of the responses mentioned above.

We are finalizing the requirement that a MIPS eligible clinician must meet the Protect Patient Health Information objective and measure in order to earn any score within the advancing care information performance category.

MACRA and HIPAA – What is a SRA?

We have talked many times about what is an SRA and what is not. One whole episode discussed it. The important thing to know is whatever you do the SRA should include a few specific things:

  1. Where is all your PHI
  2. Where are all your endpoints and access points
  3. What can go wrong ie Vulnerabilities and Threats
  4. What are you doing now to mitigate the risks of those bad things happening
  5. What is your plan to do better at it

So there you have it, MACRA and HIPAA are connected just like many other cases.  Time to get up to date on your SRA for one reason or another.  There are just too many cases of the requirement showing up in other places.  Clearly this is an issue that will be pushed until it is resolved by CEs.