MIPS and MACRA 2022

In 2015, legislation known as the Medicare Access and CHIP Reauthorization Act (MACRA) was enacted. Until the passage of the CURES Act in 2016, MACRA was the most significant legislative overhaul of the U.S. healthcare system since 2010’s Affordable Care Act. Under MACRA, the Centers for Medicare and Medicaid Services created regulations for healthcare providers’ use of health information technology. One of these incentives is the Merit-Based Incentive Payment System, or MIPS.

MIPS is composed of four performance categories, on which providers are graded. These categories include quality, cost, improvement activities, and promoting interoperability. Under MIPS, participating providers will receive an overall score of 1–100 points based on performance in the four MIPS performance categories. The MIPS score will be compared to the performance threshold determined yearly by the Centers for Medicare and Medicaid Services (CMS). 

Cost is 30% of the total score, as is quality. Improvement activities make up 15% of the score. Promoting interoperability makes up 25% of the total score. The promoting interoperability category requires completion of an annual security risk assessment. The security risk assessment conducted under HIPAA can be used to fulfill the requirement. MACRA MIPS 2022 is discussed in greater detail below.

MIPS and MACRA 2022: Why Should I Care?

Providers who serve Medicare Part B populations receive financial incentives for participation in MACRA MIPS. For the MACRA MIPS 2022 performance year, CMS set the performance threshold (a benchmark) at 75 points. 

So, if a provider receives a final score below the threshold for 2022, that provider will receive a negative payment adjustment of their Medicare Part B payments in 2024 (bad). If the final score is equal to the threshold, physicians will receive no adjustment of their Medicare Part B payments (neither good nor bad). If the final score is above the threshold, physicians will receive a positive adjustment of their Medicare Part B payments (good). Payment adjustments for MACRA MIPS performance year 2022 can range from -9% to +9%.

To receive credit (and therefore money) for the Promoting Interoperability (PI) category of MIPS and MACRA 2022, a provider must take certain actions. 

These include (among others):

  • Use an EHR that meets the 2015 edition-certified electronic health record technology (CEHRT) criteria, 2015 Edition Cures Update certification criteria, or a combination of both
  • Submit a “yes” to completing the Prevention of Information Blocking Attestations
  • Submit a “yes” to completing the Security Risk Assessment (SRA) measure (after, of course, a provider has performed and completed that assessment) 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

MIPS and MACRA 2022 providers are not given a specific score on the “Complete SRA measure component.” However, a MACRA MIPS provider must submit a “yes” to completing the security risk assessment to receive a final score above the threshold. No SRA for a MIPS and MACRA provider, equals no positive payment incentive, no matter what other PI measures the MACRA MIPS 2022 provider has taken.

MIPS and MACRA 2022: What Do I Need to Do?

To receive MACRA MIPS 2022 credit, providers must attest “yes” to having: 

  • conducted or reviewed a security risk assessment;
  • implemented security updates as necessary; and 
  • corrected identified security deficiencies. 

The Security Rule risk assessment obligation requires entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. 

If a provider does not complete an SRA for a given year, the provider will receive a “Zero” for the PI performance category. A zero from CMS is just like a zero in real life: it means you have failed the category. 

Providers should keep in mind that conducting the assessment is not enough – the provider must complete the assessment, identify security updates and deficiencies, and implement or correct these updates and deficiencies (in other words, pointing out your weaknesses is not enough. Fixing them is required (at the very least, providers should be able to show a plan for correcting or mitigating deficiencies, and that steps are being taken to implement that plan). 

CMS does not want MACRA MIPS providers to fix weaknesses only after they have caused damage. Put another way. Providers get zero points for closing the barn door after the horse has bolted. The risk assessment and remediation required are the same risk assessment and remediation that the HIPAA Security Rule requires covered entities and business associates to complete. As such, it can be used for both HIPAA and MIPS purposes. MIPS does not impose new or expanded requirements on the HIPAA Security Rule

Providers should be mindful of how MIPS measures performance years and payment years. A MIPS performance year begins on January 1 and ends on December 31 each year. Providers eligible for MIPS must report data collected during the calendar year by March 31 of the following calendar year. 

Payment adjustments, based on the data providers submit for the MIPS components, are applied to Part B claims during January 1 to December 31 of the year following data submission. For example, if a provider collects data between January 1 – December 31, 2022 (the performance year), that provider must report its MIPS data by March 31, 2023. If the provider meets the March 31, 2023 deadline, the provider will receive a MIPS payment adjustment between January 1 – December 31, 2024 (the payment year).

MIPS and MACRA 2022: Can We Expect Changes in 2023?

CMS made no changes to the MIPS performance category weights for the performance year of 2023. As before, in 2023, the points from each of the 4 MIPS categories are added together to give a MIPS final score. To receive credit for the Promoting Interoperability category, a provider must still complete the security risk assessment.