Theft and unauthorized transfer of medical records is a lucrative criminal enterprise, and reported data breaches have resulted in severe financial loss. A Security Risk Analysis (SRA) is one of the most effective methods to avoid these incidents. In addition, an SRA is an important first step in complying with security rules established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
All healthcare provider organizations that create, receive, maintain, or transmit electronic health information are subject to the HIPAA Security Rule. This rule requires entities to conduct an annual risk assessment of their organizations to ensure the privacy and security of their patients’ protected health information.
An upcoming webinar, “HIPAA is the Real Deal,” is set for Wednesday, June 26, from noon to 1 p.m. The complimentary webinar, co-sponsored by AFMC and Primaris, will be presented by Mollie McCammon RHIA, CHP. Click here to learn more and to register.
The need for an SRA has taken on an extra measure of significance, because it is required for all eligible clinicians (ECs) who use Electronic Health Record (EHR) technology, the same standard required by the Centers for Medicare and Medicaid Services (CMS) to meet what some still refer to as “Meaningful Use” requirements. “Meaningful Use” was a key component of the Advancing Care Information category of the Merit-based Incentive Payment System (MIPS), but the ACI category – where the SRA requirement still lives – is now called Promoting Interoperability.
Keep the MIPS acronym in mind, because we’ll get back to that shortly to explain more about Primaris’s chart abstraction and quality reporting expertise via CMS Web Interface (CWI), one of six quality reporting methods under MIPS.
Meanwhile, this reminder: Primaris and AFMC teamed up in December 2018 to provide CWI clients with the best in HIPAA SRA services, as well as chart abstraction and quality reporting. When it comes to the safety and privacy of your patient data, it is vital to understand that not all SRA vendors are the same and that it’s important to choose your partners well.
AFMC, the Arkansas quality improvement organization, has completed more than 1,600 SRAs covering 4,000 clinicians in practices large and small.
“Both Primaris and AFMC have been involved in SRA work for several years, so this isn’t a mystery to us,” said Primaris CEO Richard A. Royer. “But we still hear providers ask, ‘Is this necessary?’, and the answer is a resounding ‘yes.’”
Royer noted that failure to perform an SRA results in a zero for the provider or ACO’s entire score for the “promoting interoperability” (PI) category of the Merit-based Incentive Payment System.
The Security Rule requires providers to evaluate risks and vulnerabilities in their environment and to take the appropriate security measures to protect the integrity and security of their patients’ health information. SRAs should be performed or reviewed annually to be HIPAA compliant and meet mandatory requirements for many incentive programs such as the Quality Payment Program and Meaningful Use.
“We are excited about working with Primaris to help their clinician clients identify security and privacy threats and vulnerabilities to their patients’ health information,” said AFMC president and CEO Ray Hanley. “Our team of security health IT professionals has successfully conducted more than 1,500 SRA over the past 10 years. Our proprietary tools and processes address the key SRA components of technical, administrative and physical safeguards.”
Hanley said the goal of Primaris and AFMC is “to help the clinicians identify and lower their risks, reduce the clinical staff burden, and implement best practices.”
And consider these additional notes about the SRA:
- Failure to conduct an SRA was the No. 1 reason EHR Meaningful Use bonus payments were reclaimed by audits. HIPAA isn’t just about the IT department dotting the I’s and crossing the T’s. From the reception desk to the radiology department and the lab to the nursing station, there are a lot of moving parts, and a lot of responsibility to protect patient and practice or hospital information.
- The process of conducting a SRA is still a challenge for many providers and healthcare organizations, made more complicated by the rise of cyber security threats.
- Don’t assume your EHR vendor can handle your SRA. Performing an SRA is less about the technology itself and more about how your practice has implemented it. It requires physical location inspections to each practice location and creation of customized risk mitigation strategies. It is not something that can be done remotely or through a standard report.
Now back to MIPS and CMS Web Interface reporting – which involves a required SRA – and the overarching connection to your bottom line. Primaris partnered with Affirmant Health Partners and its brand-new Federation ACO to achieve a 100 percent quality score for CWI 2018 year reporting. As a result, Federation ACO achieved nearly $15.4 million in Medicare savings and just under $8 million in bonus payments. Click here to download the Affirmant-Federation case study.
Keep in mind the financial consequences if the reporting is not done correctly and on time. Compare the cost of doing it yourself or teaming with Primaris. Payment adjustments are based on many factors, including quality, meeting submission deadlines, and reporting accurate data. Outsourcing the task and partnering with Primaris is a solution to managing the reporting workload.
Primaris takes care of your data so you can take care of what matters most – your patients.
Coming up throughout July, Primaris will emphasize CWI reporting with a series of blogs, videos, a white paper, and other educational information about the change in the number of measures as well as specific details about measures for at-risk populations, care coordination, and preventive health.
Be sure to receive the upcoming CMS Web Interface blog series.
Click here to subscribe to the Quality Today blog.
Get a head start by partnering with Primaris for your CWI reporting. (Keep in mind that Primaris also specializes in data and chart abstraction for core measures and a host of clinical registries.) When it comes to your SRA, partner with AFMC.
For more information or a consultation:
Contact Primaris at 1-800-735-6776
Contact AFMC at 1-877-650-2362
Primaris is a healthcare consulting and services firm that works with hospitals, physicians, and nursing homes to drive better health outcomes, improved patient experiences, and reduced costs. Primaris leverages four decades of experience and leadership to abstract healthcare data and translate it into actionable quality improvement initiatives that create the foundation for highly reliable healthcare organizations. For more information, visit www.primaris.org and follow @primaris_health.
For more than 46 years, AFMC has worked to improve the health of Arkansans through utilization review, quality improvement projects, and public education. AFMC's mission is to promote excellence in health and healthcare through evaluation and education. For more information, go to www.afmc.org and follow @afmc on Twitter and Facebook.