May 21, 2018
The CMS Quality Payment Program is comprised of four categories for Year 2: Cost, Quality, Promoting Interoperability and Improvement Activities. While three of the four categories require clinicians and/or practices to report, the Cost category is based on claims data. It uses Medicare claims data to collect Medicare payment information for the care a provider and or practice provided to beneficiaries during a specific period of time; as such, there is no submission required. The Cost performance category is newly weighted for year 2 of the Quality Payment Program and is set to increase in weighting over time. Under the MIPS program, cost is based on total cost of care during the year or during a hospital stay, with the potential addition of episode-based measures in future years. The QPP goal is for cost measures to align with the quality of care assessment so that practices can work toward better patient outcomes and smarter spending at the same time. Events such as hospitalizations, readmissions, and certain complications can be identified through claims analysis and then inform the quality of care furnished during an episode.
Join us on our upcoming webinar when we take an in depth into the Cost performance category. We will review the measures that make up your cost composite score, as well as some of the feedback reports you can use now to gain a better understanding of your historical performance. In addition to reviewing the key category requirements, we will also dig into how the Cost and Quality performance categories align, and how a practice can use each category to drive improvement across the MIPS program.
QPP Year 2 Webinar – Cost Deep Dive
Thursday June 7th 12-1 p.m. ET
Apr 6, 2018
From CMS: You can now use the updated CMS MIPS Participation Lookup Tool to check on your 2018 eligibility for the Merit-based Incentive Payment System (MIPS). Just enter your National Provider Identifier, or NPI, to find out whether you need to participate during the 2018 performance year.
Changes to Low-Volume Threshold
To reduce the burden on small practices, we’ve changed the eligibility threshold for 2018. Clinicians and groups are now excluded from MIPS if they:
- Billed $90,000 or less in Medicare Part B allowed charges for covered professional services under the Physician Fee Schedule (PFS)
OR
- Furnished covered professional services under the PFS to 200 or fewer Medicare Part B -enrolled beneficiaries
This means that to be included in MIPS for the 2018 performance period you need to have billed more than $90,000 in Medicare Part B allowed charges for covered professional services under the PFS AND furnished covered professional services under the PFS to more than 200 Medicare Part B enrolled beneficiaries.
Note: The 2018 Participation Lookup Tool Update for Alternative Payment Model (APM) participants will be updated at a later time.
Find Out Today
Find out whether you’re eligible for MIPS today. Prepare now to earn a positive payment adjustment in 2020 for your 2018 performance.
Contact us at Kentucky REC with your questions about the Quality Payment Program. Our team of experts is here to help: 859-323-3090
Mar 29, 2018
If you’re an eligible clinician participating in the Quality Payment Program, you now have until Tuesday, April 3, 2018 at 8 PM EDT to submit your 2017 MIPS performance data. You can submit your 2017 performance data using the new feature on the Quality Payment Program website.
Note: For groups that missed the March 16 CMS Web Interface data submission deadline, it’s not too late to submit your data through another mechanism.
How to Get Started
Go to qpp.cms.gov and click on “sign in” on the top right side of the web page or use the newly added orange “Start Reporting” button.
You’ll be required to log into the Quality Payment Program data submission feature using your Enterprise Identity Management (EIDM) credentials. If you don’t have an EIDM account, you’ll need to obtain one. Review this EIDM user manual and get started with the process as soon as possible. Currently, it can take up to 5 business days for EIDM requests to be processed. CMS has been adding more help to process EIDM requests as fast as possible
After logging in, the feature will connect you to the Taxpayer Identification Number (TIN) associated with your National Provider Identifier (NPI).
You’ll be able to report data either as an individual or as a group. Be sure to log in and get familiar with the feature before you submit your data.
Real-Time Score Projections
As you enter data into the feature, you’ll see real-time scoring projections for each of the Merit-based Incentive Payment System (MIPS) performance categories. This scoring may change if new data is reported or quality measures that have not yet been benchmarked are used.
Data can be updated at any time during the submission period. Once the submission period ends, CMS will calculate your payment adjustment based on your last submission or submission update.
Please note, your performance category score will not initially take into account your Alternative Payment Model (APM) status, Qualifying APM Participant (QP) status, or other status—if applicable. To check your QP status, review the updated APM Lookup Tool.
Get Help and Learn More
Contact the Quality Payment Program by email at QPP@cms.hhs.gov or call 1-866-288-8292, if you need help or have questions about using the data submission feature.
You can also view the data submission fact sheet and this video to learn more about the Quality Payment Program data submission feature.
Contact Your QPP Resource Center® at any time:
www.qppresourcecenter.org
qppinfo@altarum.org
1-844-QPP4YOU
@QPP_Midwest
Contact us at Kentucky REC with your questions about the Quality Payment Program. Our team of experts is here to help: 859-323-3090
Feb 6, 2018
From the January 2018 OCR Cybersecurity Newsletter:
Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations. Cyber extortion can take many forms, but it typically involves cybercriminals’ demanding money to stop (or in some cases, to merely delay) their malicious activities, which often include stealing sensitive data or disrupting computer services. Organizations that provide necessary services or maintain sensitive data, such as Healthcare and Public Health (HPH) sector organizations are often the targets of cyber extortion attacks. The HHS Office for Civil Rights (OCR) published a checklist[1] and accompanying infographic[2] to assist HIPAA covered entities and business associates on how to respond to a cyber-attack.
Ransomware is a form of cyber extortion whereby the attackers deploy malware targeting an organization’s data that renders the data inaccessible, typically by encryption. The encryption key must be obtained from the ransomware attackers to decrypt the data. The ransomware attackers demand payment, often in the form of cryptocurrency (e.g., Bitcoin) for that decryption key. Unfortunately, paying ransom to the attackers may not result in an organization getting its data back. Or, once an organization pays the ransom, the attackers may provide a key to only decrypt a portion of the data and ask for additional ransom to decrypt more data. OCR published a fact sheet that provided guidance on preventing and responding to ransomware attacks for HIPAA covered entities and business associates.[3]
Additional examples of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These types of attacks typically direct such a high volume of network traffic to targeted computers that the affected computers cannot respond and may appear down or otherwise inaccessible to legitimate users. In this type of attack, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to halt the attack, or the attacker could threaten an attack and demand payment to not initiate the attack. OCR highlighted DoS and DDoS attacks in a prior cybersecurity newsletter, which included tips on identifying possible attacks as well as steps to take in the event of an attack.[4]
Another type of cyber extortion occurs when an attacker gains access to an organization’s computer system, steals sensitive data from the organization, and then threatens to publish that data. The attacker uses the threat of publically exposing an organization’s sensitive data, which could include protected health information (PHI), to coerce payment. In this type of attack, the attacker already has the organization’s data and can sell that data to other malicious persons even after the ransom is paid. A variation of this type of attack occurs when an attacker steals sensitive data from an organization and then deletes that data from the organization’s computers. The attackers then contact the organization informing them that its data has been deleted, but will be returned in exchange for payment. Again, payment of the ransom is no guarantee that an organization will get its data back. In fact, there have been instances where one attacker has stolen and deleted an organization’s data while leaving a demand for payment only to have a second attacker gain access to the same computer system and overwrite the payment demand of the first attacker. In this circumstance, the second attacker didn’t even have the data, so the organization has no chance of retrieving data from the second attacker.
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, organizations must continue to be vigilant in their efforts to combat cyber extortion. Examples of activities organizations should consider to reduce the chances of being a victim of cyber extortion include:
- Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
- Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
- Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
- Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
- Encrypting and backing up sensitive data;
Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
- Remaining vigilant for new and emerging cyber threats and vulnerabilities (for example, by receiving US-CERT alerts and participating in information sharing organizations[5]).
For more information on cyber security resources from OCR, please visit here.
A pdf of this newsletter may be found here.
An archive of OCR’s monthly cybersecurity newsletters may be found here.
OCR’s cybersecurity guidance may be found here.
__________________________________
[1] Cyber Attack Checklist
[2] Cyber Attack Quick Response Infographic
[3] Ransomware Fact Sheet
[4] December 2016 Cyber Newsletter
[5] February 2017 OCR Cyber Awareness Newsletter
For help in making your practice more secure, contact our Privacy and Security experts at Kentucky REC by calling us at 859-323-3090.
Feb 2, 2018
Attestation for Program Year 2017 is happening now. Here are some recommendations to help you successfully attest.
The Kentucky Medicaid EHR Incentive Program is accepting attestations for Program Year 2017 Meaningful Use. The deadline to submit an attestation for Program Year 2017 is 11:59 pm, March 31, 2018. The user manual for Program Year 2017 is located on the EHR website here.
Schedule a meeting with your Health IT Advisor to submit 2017 MU Attestations.
Items to Attach to your MU Attestations (Save as a PDF):
- Patient Volume Form
- Invoice/Purchase Order from Vendor
- CEHRT ID from CHPL website
- Meaningful Use reports/CQMs
- Public Health participation agreements/addendums (KHIE or other specialized registries)
- Payment Reassignment Letter (If provider is registered to have payment assigned to group NPI)
Make sure these items are saved and together at time of attestation to ease the process. A complete checklist can be found here. Please contact your Health IT Advisor to schedule a meeting to submit your 2017 Meaningful Use attestations as soon as possible.
2018 Meaningful Use Information
For 2018, the EHR reporting period for all participants is a minimum of any continuous 90 days from January 1 through December 31, 2018. Now is a great time to begin running your Meaningful Use reports for 2018 and review with your Health IT Advisor.
You will have the choice in attesting to:
- Modified Stage 2: Providers may attest to objectives and measures using EHR technology certified to the 2014 Edition, 2015 Edition, or a combination of the two.
OR
- Stage 3: Providers may attest to objectives and measures using EHR technology using a combination of 2014 and 2015 Edition or 2015 Edition.
Contact our experts at Kentucky REC with your Meaningful Use questions at 859-323-3090.
Jan 26, 2018
You are invited to attend the Kentuckiana Health Collaborative’s upcoming annual conference, Connecting Mental and Physical Health: Successful Models of Integrated Care. The KHC brings together healthcare purchasers, payers, providers, and consumers to work collaboratively towards the triple aim goals. This year’s conference will focus on the latest evidenced-based approaches, best practices, and successful models of addressing mental health and substance use disorders among primary care providers, employers, and the community.
Tuesday, March 13, 2018 – Evening conference reception
Wednesday, March 14, 2018 – Full day annual conference
Location: The Olmsted, 3701 Frankfort Ave, Louisville KY 40207
Please see the conference flyer for details.
Register here
Questions? Email mganote@khcollaborative.org
