This Week – May 20, 2017

This Week in Washington, D.C.

  • HHS Releases Guidance for Practices on Latest Cybersecurity Threat
  • MACRA Tidbit for the Week: Preparing your practice for MIPS “Improvement Activities” Performance Category

From ACG National Affairs Committee Chair, Whitfield L. Knapple, MD, FACG

HHS Releases Guidance for Practices on Latest Cybersecurity Threat

As you may have seen reported in the news, multiple versions of a new ransomware cyber-attack called “WannaCry,” “WCry,” “Wanna Decryptor,” or “WannaCrypt,” was executed at the end of last week that impacted many businesses and users around the world.  Physicians should ensure that their computer’s operating systems and anti-virus software are updated and patched:

  • Run Windows Update immediately.  Download and install any available updates (‘patches’).  Run a scan on your anti-virus software and follow its prompts.  Microsoft has released a customized patch for older platforms that do not receive mainstream updates, including Windows XP, Windows 8, and Windows Server 2003. At this time, Windows 10 has not been targeted by the attack.
  • Check your computer’s settings to ensure that the system will automatically download and install new versions of the operating system and Microsoft Office software.  Do the same for your anti-virus software.
  • Note when the computer will install these new updates, and make sure the computer is on at that time.

While this specific malware did not have much impact in the U.S., physicians should contact their medical device vendors and manufacturers to ensure that they have patched their device software.  ACG encourages members to be prepared for any threat in the future.  The way ransomware works is by taking over your computer and essentially locking you out by encrypting your files.  The hacker may then demand a “ransom” by forcing you to buy and transfer bitcoin to them in return for the decryption key necessary to unlock your files.  The latest hack targets the Microsoft Windows operating system.

If your organization is the victim of a ransomware attack, HHS sent out the following recommendation and steps earlier this week: read the full blog here.

Preparing your practice for MIPS “Improvement Activities” Performance Category

The MACRA final rule requires CMS to provide the criteria that the agency will use to validate and potentially audit your participation in MIPS.  Under MIPS, CMS will conduct this process annually. Additionally, ACG members could receive a request from CMS for an audit, which requires an initial response within 10 business days.  How can you prepare?

CMS recently released the validation steps when attesting to your MIPS Improvement Activities performance category.  Here are the MIPS Data Validation Criteria for the Improvement Activities performance category.  CMS will release the validation criteria for the Quality and Advancing Care performance categories later this year.

It is important that you and your practice review this document and have in place the appropriate document retention policies.

An example: Let’s use, as an example, the MIPS’ Improvement Activity “use evidence-based decision aids to support shared decision-making.”  ACG members can attest to doing this and meet 1 medium weighted MIPS Improvement Activity.  What do you need for validation and documentation?  CMS says you will be required to provide “documentation (e.g. checklist, algorithms, tools, and/or screenshots) showing the use of evidence-based decision aids to support shared decision-making with beneficiary.”  You also must include the dates to demonstrate that this was performed during either your continuous 90 reporting period, or during the 2017 calendar year, if you are choosing the full year reporting option.

Key take-away: Documentation and record retention are crucial

According to CMS, the documentation activities should include the dates during the selected continuous 90-day period that you are reporting MIPS measures in 2017, or if you intend to the 2017 year long reporting option.

How long should I retain documentation?

CMS cites the False Claims Act and encourages MIPS-eligible clinicians to keep documentation up to 10 years.  What’s more, the MACRA final rule says that CMS may request any records or data retained for the purposes of MIPS for up to 6 years.

More Background on Improvement Activities

The Improvement Activity performance category counts for 15% of your MIPS final score this year.  You’ll be able to choose from 90+ activities, which are weighted at various levels.  You can find these activities on the ACG website, or CMS’ quality payment program website.   The activities that are divided into 9 subcategories:

  1. Expanded Practice Access
  2. Population Management
  3. Care Coordination
  4. Beneficiary Engagement
  5. Patient Safety and Practice Assessment
  6. Participation in an APM
  7. Achieving Health Equity
  8. Integrating Behavioral and Mental Health
  9. Emergency Preparedness and Response

Important to note: While there are 9 different subcategories, you can choose to attest to the set of activities that are most meaningful to your practice.  There are no subcategory reporting requirements.  In other words, you don’t have to select activities in each subcategory, or select activities from a certain number of subcategories.

Submitting Improvement Activities

Eligible clinicians can submit their improvement activities by attestation, via the CMS Quality Payment Program website, a qualified clinical data registry (QCDR), a qualified registry, or from their certified electronic health record system. Groups of 25 or more may also choose to use the CMS Web Interface.

Reporting criteria 

You must attest by indicating “Yes” to each activity that meets the 90-day requirement (activities that you performed for at least 90 consecutive days during the current performance period).

Understanding Your Score

Your score will range from zero (not reporting anything) to a maximum of 40 points.

Groups with more than 15 clinicians:

Each activity is weighted either medium or high. To get the maximum score of 40 points for the Improvement Activity score, you may select any of these combinations:

  • 2 high-weighted activities
  • 1 high-weighted activity and 2 medium-weighted activities
  • Up to 4 medium-weighted activities

Each medium-weighted activity is worth 10 points of the total Improvement Activity performance category score, and each high-weighted activity is worth 20 points of the total category score.

Groups with 15 or fewer clinicians (and certain others):

The threshold is easier to meet.  To achieve the maximum 40 points for the Improvement Activity score, you may select either of these combinations:

  • 1 high-weighted activity
  • 2 medium-weighted activities

For these clinicians, each medium-weighted activity is worth 20 points of the total Improvement Activity performance category score, and a high-weighted activity is worth 40 points of the total category score. These clinicians may select two medium-weighted activities or one high-weighted activity to receive a total of 40 points of the total category score.