MIPS and MACRA 2022 providers are not given a specific score on the “Complete SRA measure component.” However, a MACRA MIPS provider must submit a “yes” to completing the security risk assessment to receive a final score above the threshold. No SRA for a MIPS and MACRA provider, equals no positive payment incentive, no matter what other PI measures the MACRA MIPS 2022 provider has taken.
MIPS and MACRA 2022: What Do I Need to Do?
To receive MACRA MIPS 2022 credit, providers must attest “yes” to having:
- conducted or reviewed a security risk assessment;
- implemented security updates as necessary; and
- corrected identified security deficiencies.
The Security Rule risk assessment obligation requires entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.
If a provider does not complete an SRA for a given year, the provider will receive a “Zero” for the PI performance category. A zero from CMS is just like a zero in real life: it means you have failed the category.
Providers should keep in mind that conducting the assessment is not enough – the provider must complete the assessment, identify security updates and deficiencies, and implement or correct these updates and deficiencies (in other words, pointing out your weaknesses is not enough. Fixing them is required (at the very least, providers should be able to show a plan for correcting or mitigating deficiencies, and that steps are being taken to implement that plan).
CMS does not want MACRA MIPS providers to fix weaknesses only after they have caused damage. Put another way. Providers get zero points for closing the barn door after the horse has bolted. The risk assessment and remediation required are the same risk assessment and remediation that the HIPAA Security Rule requires covered entities and business associates to complete. As such, it can be used for both HIPAA and MIPS purposes. MIPS does not impose new or expanded requirements on the HIPAA Security Rule.
Providers should be mindful of how MIPS measures performance years and payment years. A MIPS performance year begins on January 1 and ends on December 31 each year. Providers eligible for MIPS must report data collected during the calendar year by March 31 of the following calendar year.
Payment adjustments, based on the data providers submit for the MIPS components, are applied to Part B claims during January 1 to December 31 of the year following data submission. For example, if a provider collects data between January 1 – December 31, 2022 (the performance year), that provider must report its MIPS data by March 31, 2023. If the provider meets the March 31, 2023 deadline, the provider will receive a MIPS payment adjustment between January 1 – December 31, 2024 (the payment year).
MIPS and MACRA 2022: Can We Expect Changes in 2023?
CMS made no changes to the MIPS performance category weights for the performance year of 2023. As before, in 2023, the points from each of the 4 MIPS categories are added together to give a MIPS final score. To receive credit for the Promoting Interoperability category, a provider must still complete the security risk assessment.