Sean Smith, Systems and Security Manager: MACRA/MIPS risk analysis – Where are we supposed to come up with all this money?


Money is always a touchy subject, especially when discussing Long Term Post-Acute Care (LTPAC) Medical Groups. One cannot read any journals, magazines or blog posts without hearing about the aging population and the cost of health care. That cost has become a priority as CMS moves forward, which typically has meant ‘finding cost savings’ by cutting reimbursements.

And now every LTPAC practitioner has to provide yearly risk analysis documentation in order to avoid losing a percentage of billable as part of the MACRA/MIPS proposed rules. Anywhere from 4% to 9% over the next few years can be lost if the proper risk analysis documentation is not generated.
The risk assessment process is something that each LTPAC medical group must do to avoid:

  • Losing a percentage of billable
  • Leaving a risk in place and being caught in a CMS audit
  • Leaving a risk in place that leads to a Protected Health Information (PHI) breach

One very important note. If your LTPAC practitioners are Medicaid-eligible and have not received the initial AIU (Adopt, Implement or Upgrade) payment of $21,250 per practitioner, you need to file for this payment in 2016 or it will disappear. A practitioner must see at least 30% Medicaid patient volume and register for a certified EHR technology. Yearly payment opportunities of $8,500 per practitioner through the end of 2021 exist if using the EHR in a meaningful way. Here is a link to the AIU program from CMS. AIU is the last “carrot” from CMS and the MACRA/MIPS penalties are the looming “stick.”

So how should each LTPAC medical group know how much to spend on this risk assessment process? A large majority of LTPAC medical groups do not have trained staff to do this work. There are not enough trained cyber security and risk individuals in the United States for everyone who needs one. So most LTPAC medical groups are forced to use outside consultants/vendors to help assist with the Risk Assessment Process.

You can loosely equate this to the assistance received from outside accounting resources. Most businesses use some sort of tool to record their accounting data and have some level of outside accounting expertise to interpret that data and assist in providing the necessary documentation.

I have recommended in a previous blog post to use a commercial risk assessment tool that will enable data to be recorded initially and used throughout the year to update as identified risks are mitigated. This tool should provide the yearly risk analysis documentation required for CMS. Most companies that sell these tools also offer consulting services to assist in setting them up and then as needed when using them.

So finally the information you really want. What is the cost?

  • 1-3 practitioners – $2,500 the first year, with costs going down in future years (less consulting)
  • 4+ practitioners – $5,000 the first year, with costs going down in future years (less consulting)

Please note these costs vary greatly depending on the complexity of your system(s), location(s) and how much consulting you need. It can even explode if you decide to have the consultant(s) do the work for you.

But wait, there’s more! The time needed by existing staff is not included. Nor are the time and costs for mitigating identified risks. Those costs vary by each medical group and are impossible to identify in a generic, across the board fashion. You need to plan for mitigating identified risks and then execute that plan. Start with the highest level risks first. CMS takes a VERY dim view on groups who identify risks and then ignore them.

One final note: the National Institute of Standards and Technology (NIST) recommends that you devote 12% – 18% of your annual IT budget towards compliance and security, which is great in theory. However, most LTPAC medical groups barely even have an identified IT budget. Please use the information provided when developing your upcoming budgets.