MACRA/MIPS Requirements and the SRA



The MACRA/MIPS program is essential for practices that provide Medicare services, especially when  the amount of federal reimbursement they receive is necessary to maintaining services. MACRA/MIPS has continued to affect payment adjustments for Medicare reimbursement to a larger degree each year. As the program advances, meeting the requirements for each category becomes increasingly important. One of these requirements is conducting an annual Security Risk Analysis. Without it, practices will fail to qualify for the Promoting Interoperability category which makes up 25% of the overall score for MACRA/MIPS.

What is the Security Risk Analysis (SRA)?

The purpose of a Security Risk Analysis is to identify risk across your organization. It is a federally required documentation process to ensure that organizations are taking the proper steps to ensure PHI is properly protected. The SRA assesses the physical, administrative, and technical safeguards you have in place to currently protect your PHI. It's an important opportunity to uncover any vulnerabilities in the information security plan and make necessary remediations. It also allows you to document the compliance work you're already doing.

The SRA is an important piece of documentation for a few reasons. Most importantly, patients in the U.S. have a right to privacy, and that right applies to all patient health information. The SRA allows organizations the chance to provide proof that they are taking the proper steps to ensure patient privacy. This leads into the second reason, which is the increasing frequency of ransomware attacks in the healthcare space. Technological infrastructure in the healthcare space currently lags behind the capabilities of hackers, which makes them an easy target for these ransomware attacks. It is more important than ever that organizations are identifying their vulnerable areas and taking steps to protect them, which is a major element of the SRA.

How Does it Relate to MACRA/MIPS?

Not only is the SRA already federally required, but it is also an important chunk of the MIPS score, specifically the Promoting Interoperability (PI) measure. To meet the PI measure, eligible organizations must attest yes to conducting or reviewing an SRA, the prevention of information blocking attestation, and the ONC direct review attestation. If they have not completed the SRA, the PI score will drop to 0. This section makes up 25% of the entire MIPS score, thus a score of zero reduces the potential to receive a positive adjustment to an enormous degree and places the score in dangerous territory for a negative adjustment. The penalty threshold is set at 60 points, and a score of at least 85 points is required to have the best chance of receiving a full postitve adjustment. This is why completing the SRA is so important for the MACRA/MIPS program. Without the documented completion of the entire SRA, organizations are unlikely to receive any benefits from the federal government.

This is one of the many reasons Medcurity was founded, to provide healthcare organizations of all sizes with an easier way to complete the SRA. Contact our team to see how we can provide value today.