The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) was signed into law to improve patient healthcare outcomes. Under MACRA, the Centers for Medicare and Medicaid Services (CMS) created regulations to encourage healthcare providers to use secure health information technology. One of these incentives is the Merit-Based Incentive Payment System, or MIPS, program. Providers who meet MIPS requirements may receive more favorable Medicare reimbursement rates. The MIPS rules for 2023 are discussed below.

What Are the MIPS Rules for 2023? Ground Rules

The MIPS ground rules for 2023 are similar to the MIPS ground rules for 2022. Under the MIPS rules for 2023, provider performance for the calendar year of January 1, 2023 – December 31, 2023, is assessed across 4 performance categories: 

  1. Quality
  2. Cost
  3. Improvement Activities
  4. Promoting Interoperability (interoperability is the ability of computer systems or software to exchange and make use of information)

Providers receive a total score of anywhere from 0 to 100 points.

What Are the MIPS Rules for 2023: Promoting Interoperability (PI) and the SRA

One of the Promoting Interoperability (PI) requirements for 2023 is the completion of a security risk assessment – the same assessment required under the HIPAA Security Rule (maybe CMS should just call the requirement” “MIPAA,” for ease of remembering?).  

The math is not on the side of providers who do not have the SRA completed by December 31, 2023, for assessment (and potential reward) in 2024.

Providers who earn a total score (based on their performance in all four categories) of 75.1% to 100% can receive Medicare incentive payments (more favorable reimbursement rates). Providers who earn less than 75% can receive less favorable reimbursement rates. Providers who receive an exact score of 75% receive neither incentive nor “disincentive” payments. The PI category comprises 25% of the total score. 

Providers are not scored on the SRA. It has no numeric value. But, under the MIPS rules for 2023, if a provider fails to complete an SRA for the 2023 calendar year, that provider receives a total score of zero (0) for the entire Promoting Interoperability category for 2023 – regardless of how well the provider performed in the other PI measures. 

Failure to conduct the SRA automatically lowers the score from a potential 100 to 75. 75 is the anti-magic number. Providers who obtain this score do not receive disincentive payments, but they do not receive incentive payments, either.

Providers who have not completed their PI SRA for the calendar year 2023 should make sure to do so by December 31, 2023. If the SRA is not conducted for calendar year 2023, a provider automatically receives a score of zero in PI for the year 2023. 

But there is hope. Providers need not complete the SRA all by their lonesome(s). HIPAA-covered providers can hire a HIPAA business associate to perform the SRA on the providers’ behalf. Before the business associate can access any provider PHI, the provider and the business associate must enter into a HIPAA business associate agreement.

Providers have until April 1, 2023, to report the results of the SRA (and to report other MIPS Promoting Interoperability information). Completing the SRA by the end of 2023 ensures that providers have something to report.

Modernize Your Compliance

Using automated compliance software compliance is a breeze.