MACRA 2017 deadlines are coming. Do you have a Security Risk Assessment scheduled before December 31st?

Right now the healthcare industry is in the final race to complete the requirements for MACRA, the new reimbursement scheme for Medicare. Thousands of dollars are at risk – failing to satisfy the MACRA requirements in 2017 will result in payment reductions for all of 2019!

Submerged within the 2,398 pages of MACRA lies a key requirement for eligibility - completing a security risk assessment (SRA). The SRA is a “core requirement.”  Without an SRA, a healthcare practice can undo all their other efforts to achieve the high score needed to get full Medicare reimbursements and bonuses. In fact, without an SRA, a practice is likely to face payment penalties in 2019.

Be aware of two misunderstandings that give healthcare practices a false sense of security in meeting the annual requirement for a Security Risk Assessment:

  • “My EHR is HIPAA-compliant, so I don’t need to do an SRA.”

Simply installing a certified electronic health record (EHR) does not fulfill the Meaningful Use or MACRA requirement for a security risk analysis.  Even with a certified EHR, you must perform a full security risk analysis to ensure that you are properly safeguarding all the protected health information (PHI) you maintain, whether in paper or electronic form.

  • “My IT service takes care of all that security stuff.”

Don’t assume your IT service provider is taking care of security.  IT companies typically believe they are only responsible for installing a firewall and anti-virus application and keeping your computers running. They assume the Practice Manager is handling all other aspects of system security, including policies and procedures, staff training, password maintenance, mobile device management, and facility security.

The Security Risk Assessment isn’t just busy-work. Completing an SRA and fixing any identified gaps will increase your cybersecurity and complete a critical HIPAA requirement, saving you thousands in penalties and fines as well as protection from a breach.

Doing an SRA should be an important year-end "To do."  It will give you peace of mind, letting you go into the New Year feeling more protected and positioned to increase your revenue. Don’t miss out!

If you have any questions about performing a Security Risk Assessment,

please contact us at: compliance@thirdrock.com.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

Julie Rennecker, PhD, BSN
About the Author

Julie Rennecker, BSN, PhD is an organizational development consultant specializing in the people and process challenges related to healthcare technology change. With 10 years bedside clinical experience (ICU, ER, behavioral health), a PhD in Organizational Behavior from MIT’s Sloan School of Management, five years on the Information Systems faculty at Case Western Reserve University, and more than 15 years’ research and consulting experience, she brings a unique synthesis of clinical, academic, and industry experience to bear on client problems and opportunities. She holds a Certificate in Health IT and Health Information Exchange from the University of Texas and is a credentialed EpicCare Ambulatory trainer.

Leave a Reply

%d bloggers like this: