Here are the MACRA final rule changes you need to know
Last week, HHS released a barrage of regulations and guidance under it’s various arms. One final rule focused on health IT but the big news centered on CMS’ release of the highly anticipated Medicare Access & CHIP Reauthorization Act of 2105 (MACRA) implementation final rule (link removed). The announcement differed somewhat from CMS’ previous releases. For one, the agency gave interested parties the news in the morning hours as opposed to within the happy/witching hour of 4 p.m. at the end of a working week. Another is the agency teamed up with the U.S. Digital Service team to produce an easy-to-use, informative website detailing the program.
The Medicare program covers about 55 million people, CMS’ acting Administrator Andy Slavitt noted on a call for reporters.
MACRA will eliminate the sustainable growth formula and replace it with a .5% annual rate increase through 2019, after which physicians are encouraged to shift to one of two Quality Payment Programs: 1) Merit-Based Incentive Payment System (MIPS) or 2): Alternative Payment Model (APM).
MIPS sunsets and packages up Meaningful Use, the Physician Quality Reporting System and the Value-Based Payment Modifier where physicians will receive payment adjustments based on quality Bluestacks For PC (via both evidence-based standards and practice-based improvement activities), cost and use of certified EHR technology use.
2017 will be a transitional year
While initial reports noted the hefty 2,398 page count (including one from this very publication (link removed)), the majority of those pages account for responses to comments on the proposed rule (the agency received around 3,800 comments!). CMS is, with the aforementioned website and it’s streamlined executive summary, really trying to make the regulation understandable, allow flexibility for physician implementation and push for more patient-centered care.
The rule finalized 2017 as the performance period for the 2019 MIPS payment year as a transition year as part of the development of the program. “For this transition year, for MIPS, the performance threshold will be lowered to a threshold of 3 points. Clinicians who achieve a final score of 70 or higher will be eligible for the exceptional performance adjustment, funded from a pool of $500 million,” CMS noted.
A sigh of relief for small providers
The law increased the low-volume threshold to $30,000 in Medicare Part B charges or 100 Medicare patients. About 600,000 clinicians are expected to be affected by the law. Dr. Patrick Conway, deputy administrator for innovation & quality, CMS CMO, said on a call for reporters at the release of the rule that 380,000 clinicians could be exempt from the MIPS program. He added CMS expects 25% of physicians to participate in advanced APMs in 2018 but for the first year expects about 100,000 to participate.
“We think the vast majority of small practices can succeed,” Conway said. In addition to increasing the low-volume threshold, HHS noted that $20 million each year for five years will be provided to train and educate Medicare clinicians in small practices of 15 clinicians or less and providers working in underserved areas.
CMS is also allowing MIPS reporting as a group (defined as “a set of clinicians (identified by their NPIs) sharing a common Tax Identification Number, no matter the specialty or practice site”). This could help small providers of similar size to band together to receive a payment adjustment based on the group’s performance. Groups must register by June 30, 2017.
CMS listened to administrative burden concerns and focused on flexibility
The agency got out of the office to get real-world takes on how such a sweeping rule could affect the care delivery system. In addition to the written comments, the agency went on listening tours drawing over 100,000 attendees. On the press call, Slavitt noted the changes to the rule were to help physicians focus on delivering care and seeing patients instead of performing administrative tasks. The overwhelming response to the rule was to “make the transition to MACRA as simple and as flexible as possible,” Slavitt said.
To that end, providers who feel comfortable can begin on New Year’s Day to collect performance data but providers can begin collecting such data anytime between January 1, 2017 and October 2, 2017. Here’s the catch: You have to do something in 2017. While providers are offered three different MIPS submission options, no participation will result in a 4% negative payment adjustment in 2019. Performance data is due March 31, 2018.
The agency is allowing providers a “pick-your-pace” method over three data submission options through MIPS or a fourth option to join an Advanced APM:
- “Test” the program by submitting a minimum amount of data – one quality measure, for example – to ensure physicians’ systems are working and prepared for broader participation in the next years.
- Submit 90 days of 2017 data, which would allow practices to submit their first performance period for a time later than Jan. 1, 2017 and still qualify for a small positive payment adjustment.
- Submit a full year of 2017 data which could result in a positive payment adjustment.
- Join an Advanced APM, which involves more risk. “If you receive 25% of Medicare payments or see 20% of your Medicare patients through an Advanced APM in 2017, then you earn a 5% incentive payment in 2019,” the Quality Payment Program website notes.
More Advanced APM participation opportunities are coming
The agency anticipates the following to be advanced APMs in 2017:
- Comprehensive ESRD Care – Two-sided risk;
- Comprehensive Primary Care Plus (CPC+);
- Next Generation ACO; and
- Medicare Shared Savings Program – Tracks 2 and 3.
CMS intends to broaden APM opportunities for clinicians, including small practices and specialists. For example, a major opportunity being considered for 2018 will be the new Accountable Care Organization Track 1+ model. The agency is also reviewing reopening some existing Advanced APMs for application.
Reduced health IT measures
The “Advancing Care Information” section of MIPS replaces the Meaningful Use program. To mitigate administrative burden, CMS reduced the total number of required measures from 11 in the proposed rule to five in the final rule:
- Security risk analysis;
- Provide patient access;
- Send summary of care; and
- Request/accept summary of care.
In addition to the five required measures, there will be optional measures a provider can report to potentially allow for a higher score. “For the transition year, we will award a bonus score for improvement activities that utilize [certified EHR technology] and for reporting to public health or clinical data registries,” the rule stated.
The agency is still open to ideas
Comments will be taken on the final rule for 60 days (the rule is set to be published in the Federal Register on October 19) as CMS begins to implement the law on an iterative basis. “We’re not looking to transform the Medicare program in 2017,” Slavitt said on the call for reporters. “We’re looking to make a long term program successful.”
Reports show 2017 Medicare payment adjustments
The 2015 Physician Quality Reporting System (PQRS) Feedback Reports and 2015 Annual Quality and Resource Use Reports (QRUR) were released on Sept. 26.
The Centers for Medicare & Medicaid Services (CMS) began mailing 2015 PQRS penalty letters to physicians on that date as well.
What’s in the reports
A penalty letter is your notification that you are scheduled to receive a two percent penalty in 2017 based on 2015 PQRS reporting. Letters are only issued to those who will receive negative payment adjustments, but if you do not receive a letter it is still a good idea to check your reports for any discrepancies. The PQRS feedback report allows you to look up whether you will receive a two percent 2017 PQRS penalty, and also contains detailed information on program year 2015 PQRS reporting results
The 2015 Annual QRURs provide information on your practice performed on quality and cost measures used in the Value Modifier (VM) and whether your VM payment adjustment will be positive, negative or neutral and also details the specific amount.
VM penalties can range from -1 to -4 depending on practice size and performance. Bonus payments depend on how much money is collected from penalties and to date the 2017 bonus size has not been publically announced. Drill-down tables in the reports contain detailed information on care delivered to individual patients by other providers as well as the physicians in the practice.
The payment adjustments detailed in these reports are associated with current performance-based Medicare payment incentives that will be replaced in 2019 with a new system created under the Medicare Access and CHIP Reauthorization Act (MACRA). If you believe there are errors in the report or calculation of the payment adjustment, you should file for an informal review prior to midnight Eastern Time on Nov. 30.
Accessing the reports
An Enterprise Identity Management (EIDM) account with the appropriate role is required to obtain 2015 PQRS feedback reports and 2015 Annual QRURs.
If you already have an EIDM account, visit the CMS website to sign up for the appropriate EIDM role or contact QualityNet Help Desk to determine if someone in your practice already has that role. To sign up for an EIDM account, visit the CMS Enterprise Portal and click “New User Registration” under “Login to CMS Secure Portal.” You can access both reports on the portal using the same EIDM account.
Here is how you can request an informal review:
- For 2017 PQRS negative payment adjustment informal review, view the “2015 Physician Quality Reporting System (PQRS): 2017 Negative Payment Adjustment – Informal Review Made Simple” guide on the PQRS Analysis and Payment Web page.
- For informal review on 2015 QRURs or the 2017 Value Modifier calculation, see the 2015 QRUR and 2017 Value Modifier Web page.
The CMS Helpdesk is available to help you through these processes. For assistance regarding EIDM or the content or data contained in your PQRS Feedback Reports, contact the QualityNet Help Desk at (866) 288-8912 [TTY (877) 715- 6222)] from 7 a.m. to 7 p.m. Central Time, Monday through Friday, or via email.
For additional assistance regarding the QRUR or the Value Modifier, or if you are having trouble accessing the PQRS Feedback Reports, email the Physician Value Help Desk or call (888) 734-6433 (select option 3).
Dan Munro On Healthcare Information Security
MediPro had the opportunity to interview Dan Munro, the man who literally wrote the book on the subject. Dan is highly respected authority on the subject writing for Forbes and authoring the book Casino Healthcare. So without further ado … let’s get right to the questions:
What are the biggest security challenges facing healthcare providers in 2016 and how do you think that will change in the next few years?
The biggest challenges are cultural and operational – not technical – and I don’t think this changes for the foreseeable future. Opsec and infosec (and all the related legal and technical functions) demand the committed focus of an Executive Team and Board of Directors. This isn’t just an IT issue. John Chambers (of CISCO fame) said it best.
“There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”
I’ve also seen this rephrased recently in a way that emphasizes the operational challenge:
“It’s not a question of if your organization will be breached … it’s how long will it take to discover it.”
According to one recent study, the answer to that question is – on average – almost 5 months.
Specific to healthcare, what’s become crystal clear over the last few years is the huge magnet health data represents to criminals that are able to penetrate healthcare networks with relative impunity. The number of health records breached in just one year – 2015 – was a staggering 112 million. As a percentage of the population, that’s about 35% of the U.S. I wrote about the ease of logging into the network of a sizable hospital (through a network attached printer) in 2014, and I know these vulnerabilities still exist. Health data is also lifelong, so there’s a long tail value that easily eclipses temporary financial data like credit cards.
So the real challenge I see isn’t just automating security through technology deployment, it’s the process of infusing an entire culture of security into an industry that – at least until recently – has largely managed to avoid it. The technology is relatively easy and directly tied to the IT budget process. What’s harder and longer is the training and ongoing commitment to best security practices for every organization – of every size. This is the real overhead that many healthcare organizations both resent and avoid – and this resistance has to be overcome. In the cyberwars ahead, there is no Red Cross safety zone. In fact, healthcare is a big bullseye.
It’s often mentioned that the biggest security holes are the people who don’t understand what they’re doing, installing apps and viruses on their machines. How do healthcare providers combat that?
This is the operational challenge I referenced in the previous question. It’s people and processes that create the most vulnerability to every organization and the only way to combat this is by creating a culture of security. In this sense, healthcare suffers from no less than 3 different – and significant Human Resource issues:
- Healthcare organizations need to include security as an integral – and full-time – member of the executive team. In some cases, it’s actually been relegated to part-time status and assuming that level of organizational risk is no longer an option. The Chief Information Security Officer position needs to be full-time, dedicated, Board level and not just as a token head to axe when there’s a significant breach.
- Cybersecurity talent generally is in very high-demand and short supply – and that’s not going to get better anytime soon. Healthcare organizations need to understand that they’re about 5-10 years behind other industries in their cybersecurity profile – and that’s an added burden in attracting and keeping the kind of talent necessary to reduce the risks. This will result in serious budget challenges – and discussions – as it should. Finding, securing and retaining this talent will require an even larger organizational commitment over time. I know of cases where large (instantly recognizable healthcare brands) lost key talent because they thought of security as a single hiring investment.
- Every member of an organization – both inside and outside of IT – needs to be trained on best security practices around the most serious threat of all – social engineering. In the cyber battles ahead, the attackers have the advantage because the defenders need to protect against all threats all the time, Attackers, on the other hand, only need to exploit a single vulnerability once. More and more, that vulnerability is a sophisticated phishing campaign that delivers an unknown, often unseen payload that can infect or even disable an entire organization.
Ransomware is a growing problem that doesn’t even guarantee a solution if the ransom is paid. How can healthcare providers safeguard themselves against such attacks?
Ransomware isn’t new – technically, the first example was in 1989 with the AIDS Trojan Virus – and while it’s currently a high profile one, it’s not that unique in terms of the need to develop effective planning and counter measures. An effective DDOS attack (like the hacktivism one that took Boston Children’s hospital offline for days) is a similar operational risk – and these both represent the highest cost both clinically and financially. There are a number of approaches to mitigate the risk – but there are no guaranteed, single bullet solutions.
- Consider new technical solutions (like Silo by authentic8) as a way to minimize executable code (like inside most browsers) from crossing the network perimeter altogether.
- Accelerate moves to cloud based storage and SaaS applications. This doesn’t eliminate the overall risk, but it will minimize it. Cloud vendors have strong legal motivations, big budgets, and staff dedicated to minimizing many different types of cyber threats – including ransomware.
- Successful attacks aren’t convenient and don’t adhere to any schedule. Have an approved contingency plan in place for each of the major risks. When an attack of any kind is successful, everyone should have a clear understanding of the roles and responsibilities to minimize the impact and repair the damage. This process is iterative and also needs to include communicating with regulatory bodies, partners, and patients in an honest and authentic way.
More and more healthcare practitioners need access to information from a mobile device. How big a security risk is this and how can it be mitigated to secure both the data in transit and the data in the event the device is lost or stolen?
Endpoint security is a big category of vulnerability and risk for every network, and while it does have unique attributes, it’s really no different in terms of embracing a culture of security. The goal isn’t endpoint or mobile security as a priority. The goal is a culture of security that includes all the vulnerabilities and risks. It’s why security is so challenging. Again, defenders have to protect against all vulnerabilities all the time whereas attackers only need to exploit a single vulnerability once. That attack surface could be a mobile device, but it could just as easily be a network attached color printer that the marketing department bought and installed yesterday.
Backups are a critical component of any healthcare provider’s strategy to keep their data available. How can they keep their offsite backups secure once it out of their hands?
Cloud storage, SaaS and data backups through any 3rd party (large or small) rely almost entirely on legally binding agreements and contracts. In a culture of security, the goal here is to fully understand the bounds of liability and capacity for all 3rd party agreements. A small vendor that handles data storage offsite can be appealing for economic reasons, but have limited capacity to handle the real economic liability associated with a breach – which includes communication, remediation, fines, legal defense and (potentially) expenses around brand damage. The larger vendors are well equipped to handle these extended terms and conditions – even if their monthly service expense is considerably higher. A culture of security is able to weigh all the security risks – and liabilities – associated with all 3rd party vendor contracts.
Medical software is moving towards the Cloud. What security features should physicians look for in a Cloud based product to help protect their practice and patient data?
I can’t make individual recommendations, of course, because they’re highly variable to the size and need of the organization, but generally, all vendor partners should be carefully screened through a competitive review and budgeting process. Data security is a critical lens through which all vendor partners need to be assessed. The stakes are high – and getting higher as more health data is captured, managed, manipulated and stored through 3rd party contracts. It’s also never ending. A good example here is that Microsoft just announced another security update today. That’s not surprising except that it’s for Office 2003.
In the end, the most important commodity in all of healthcare is trust – and that’s the biggest risk behind any deficiencies in the culture of security. The size of the organization is immaterial. It can easily be a small solo practice – or a globally recognized healthcare brand – but every organization is dependent on both partners and employees to protect the most valuable healthcare asset we all rely on in all its forms – health data.
About Our Interviewee: Dan Munro is an author and Forbes Contributor on the topic of U.S. Healthcare. His book ‘Casino Healthcare‘ in now available and he has written extensively on cyber threats in healthcare. Follow him on Twitter at: @danmunro
What to Do When You Get a Bad Physician Review
Bad physician reviews happen, even to the best of doctors. Someone on the office staff may have a bad day, miscommunications are real and people are human. When patients have a bad experience, they often use sites like Vitals, RateMDs or Yelp to vent (which is one of the reasons we recommend patient satisfaction surveys. It gives patients the opportunity to be heard before broadcasting online). Unfortunately, these venting reviews can do some significant harm to a practice (see how much doctor reviews affect your bottom line).
So what do you do when you inevitably receive a negative review?
- Don’t panic, don’t fight back. One of the first instincts is to challenge the reviewer. Trust us, this is not a direction you want to go. Confrontation only makes you look bad and has the potential to escalate the situation. While the review may be unfair, there are other ways to deal with it that wind up placing you in a better light.
- Act reasonably quickly. While you don’t have to respond the minute there’s a bad review, you don’t want to let it linger either. Responding in a timely manner shows that you’re actively listening to your patients, which can go a long way. If a future patient is looking at your reviews online and sees that there was a response to a complaint within a day, it indicates that you care and that’s highly important to patients. Think of it as an online bedside manner. Now, because we know that healthcare professionals are very busy and do not usually have the time to actively monitor online review sites, we have also put together 5Star-MD as a free service in order to create one place for physicians to monitor their online presence and receive text/SMS or email updates when new reviews come up. This will help you manage your online bedside manner.
- Dispute the review if it is not legitimate. This step will vary from review site to review site. Some sites have relatively simple processes for disputing reviews while others are very complicated. In most cases, there are ways to have a review removed if it is not valid (e.g., meant for another practice, has incorrect information, is written as slanderous instead of a valid review, not a valid patient, etc.). Realize that the number of reviews you can remove will be limited in most cases, so this cannot be the core of your strategy. However, it can be highly effective in removing some damaging content. Also note that while text reviews can be disputed, in many cases the “star” rating associated with the review will not be removed. Note: Matt Rasmusson just wrote an excellent site by site guide to getting reviews removed that is worth checking out if you want to dispute a review.
- If the review is legitimate, write an honest response. If there is a negative review that you can not or have decided not to remove, respond to it. Stay away from any negative and/or attacking phrases and focus on the patient’s concerns. Apologize for a negative experience, explain how you strive to create a positive experience for patients and then focus on what you’re doing to either investigate the problem and/or ensure it doesn’t happen again (if applicable). What you’re doing here is letting the patient know that he/she has been heard and that you are concerned about the negative experience. This is your opportunity to explain where the breakdown happened (e.g., We have a new patient scheduling system that had a bug on the first day, which has been addressed. We are terribly sorry for the inconvenience). However, make sure you do not come across defensive or inadvertently disclose any information that would be in violation of HIPAA. Keep it short, sweet and sincere.
- Work to bring in more positive reviews. One of the best defenses against a negative review is a stream of positive reviews. A negative review stands out by itself, but a negative review in-between 10 positive reviews falls in the shadows. Unfortunately, it’s usually a disproportionate number of people with bad experiences that leave a review. This means that you have to use a little elbow grease and work to have positive reviews come in – verbally encourage your patients, send a follow-up email after an appointment, have a flyer/handout in your office. Whatever you do, don’t collect and upload reviews yourself – this is a policy violation on almost every review site.
- Learn from what patients are saying. The worst thing you can do is simply ignore what patients are saying. Negative online reviews do provide beneficial information about what patients are truly thinking. Use this as a learning session. Do people perceive the doctor as cold and uncaring? It may be totally unintentional, but now you know to make a concerted effort to make patients feel more at ease. Is there an issue with the office staff’s efficiency? You may never have known otherwise, but now you can take a look at process improvements for your practice. Don’t simply respond to patients and forget what was said – see what you can truly learn about their collective experiences.
Negative reviews are a reality for all medical practices at some point. That’s why it’s so important to monitor what people are saying about you and preparing to deal with negative posts when they come. Of course, if you need additional help managing your reputation, give us a call. We’d be happy to help you put your best foot forward and grow your practice.
Instituting Cycle Billing
Are you sending all of your bills once a month and getting a rush of questions and calls? Have you considered Cycle Billing?
Cycle billing is – a method of billing customers at monthly intervals in which statements are prepared on each working day of the month and mailed to a designated fraction of the total number of customers.
Get Paid Faster
By breaking up your bills and sending them out in cycles each week or even every other week, you can get paid faster and you can reduce the rush of calls to the office after big batches are sent. By getting your bills out fast you get paid fast. This is especially true for self-pay accounts. The quicker you get the bill out the greater chances you have to collect that balance.
Cycle billing also allows you to give more attention to specific bills. You can break down the large batches to manageable sizes and give each patient account the attention it may need. This will help to reduce the number of unnecessary statements and allow you time to add notes gm diet plan non vegor color to the needed statements.
With BillFlash you can send statement batches as often as you would like. With the Review function, you can add notes, delete statements from the batch, change the statement color and even choose delivery method of mail, eBill or both.
Make It Easier
By incorporating the BillFlash Pay Services you can also reduce this stress on your office by allowing patients to manage statements and pay online.
Whether you use cycle billing or not. The full BillFlash suite offers you the tools you need to collect payments and reduce the stress of a monthly activity burst.
- Professionally printed statements
- HIPAA compliant email notifications
- Online payment portal
- Payments Anywhere, Anytime
- Online 24/7
- Over the phone
- Mailed payments
- Stored payment methods
- Payment plans
Contact MediPro, Inc. at 1.800.759.1321 opt 2 to set up your BillFlash suite of services.
Bill Flash tips provided by:
Senior Vice President Sales & Marketing | NexTrust
*BillFlash is a product of NexTrust