Paste your Google Webmaster Tools verification code here

Most physicians realize, that like the practice of medicine, government regulations change and evolve frequently. Regulations have been changing so fast that most physicians are having trouble keeping up. As a physician, how many times have you thought to yourself, “This is not what I went to medical school for!” Unfortunately, more changes are coming for two of the most important regulations impacting physicians—The Health Insurance Portability and Accountability Act (“HIPAA”) and the Medicare Access and CHIP Reauthorization Act (“MACRA”). The Department of Health and Human Services (“HHS”) recently determined it was time to overhaul HIPAA to bring it in line with the spirit of MACRA—to ease providers’ communication burdens and facilitate coordinated care. In this article we will evaluate HIPAA proposed changes and how they might affect an oncology practice. We also will review MACRA changes for this year, including what to look out for if you decide to use only your EMR/EHR system to comply with MIPS/MACRA, and some tips on how to comply with MACRA changes.

What Potential Changes Are Coming To HIPAA?

The benefits and burdens of HIPAA can be debated and fact of the matter is that HIPAA is here to stay. However, last December, HHS published a request for information seeking to identify and eliminate some of the physician burdens caused by HIPAA. Some of the changes have the potential to cause more harm than good, while others are common sense changes physicians should welcome.

Forced, and Health Emergency, Sharing

Currently, medical practices are required to provide patients with access to their medical records within 30 calendar days of the patient’s request. A 30 day extension is allowed if the medical records are not maintained onsite, but notice of such delay needs to be sent to the patient. On the other hand, there presently is no current timeframe pertaining to physician requests for a patient’s medical record. HHS is considering requiring all physicians, clinicians, and other covered entities, to disclose to each other a patient’s medical record within the same time frame HIPAA currently requires for disclosures to the patient. If finalized, your medical practice would be required to disclose patient information to another medical practice requesting records within 30 calendar days of the request, or risk violating HIPAA.

Would this make your job easier if you were required to disclose patient information—or another practice was required to disclose patient information to you, within the same time period specified for disclosures to patients? Most practices I work with disclose a patient’s medical record to another medical practice within two weeks, so it would seem most would have no issue complying with this. However, other practices sometimes refuse to disclose, or take a long time to disclose, in fear that they are violating HIPAA. Adding a time frame to comply with another medical practice’s request for patient information should augment coordinated care and make the permissibility of these disclosures more clear, but nevertheless will add another regulatory hurdle to physician practices.

Accounting of Disclosures

Currently, HIPAA requires that a medical practice provide a patient, upon request, a copy of an accounting of certain disclosures of their health information made within the previous six years from the date of the patient’s request. This currently is limited to disclosures made to groups that were not the patient’s doctor, the patient’s health insurer, or the patient themselves. However, HHS is considering modifying this rule to include ALL disclosures, even those from doctor to doctor, doctor to health insurer, and doctor to patient, and instead of it being six years prior to the request, it would be three years.

HHS stated this requirement would not be a burden on practices because it believes electronic health record (“EHR”) systems can readily document what disclosures were made, when they were made, and to whom. When it comes to oncology and hematology practices, would this be a burden? Can your EHR system collect this data easily enough that you could readily comply? Are you still using paper charts to where this would be a huge burden? Because some EHR systems were not designed to handle this type of requirement, it is likely that most practices would be required to assign someone to specifically keep track of all disclosures of patients’ medical disclosures and uses. This likely is an area where HIPAA needs no changes, as patients generally do not need to know when a doctor discloses their information to another doctor, health insurer, or to the patient themselves. HIPAA already expressly authorizes these uses and disclosures, so the burden of informing the patient on this seems unnecessary.

The other part to this accounting of disclosures overhaul is that a patient would now, if finalized, be allowed one free audit trail detailing every time someone came in contact, electronically, with the patient’s medical record within a 12 month period. These audit trails are voluminous, often totaling hundreds if not thousands of pages. The law would require that a covered entity would have to print a copy of the audit trail if the patient is unable to accept an electronic copy, meaning practices should gear up for a potentially massive paper burden.

With audit trails, remember that EHR systems only record the username, or IP address, of the individual or group that accesses the record. If finalized, this rule could cause massive confusion amongst patients and cause tons of time delay for practices. As an example, let’s say that a patient comes in and asks for an accounting of disclosures and an audit trail of their medical record. Your practice provides those documents. The patient then calls your office the next day and says, “I don’t know who this person is that on July 17, 2018 from 2:31 pm to 2:45 pm accessed my medical record. Who is this and what were they doing?” The access could be something completely harmless as your billing company accessing the record so that they could bill for the services provided, but try explaining that to the patient. Again, this is another change that likely is more burdensome than beneficial.

Acknowledgement of Receipt of Notice of Privacy Practices

Every time you go to a new doctor’s office, you are required to sign a form acknowledging that you were given a copy of that practice’s Notice of Privacy Practices. Some doctors’ offices will simply post the Notice on the wall in their waiting room, while some keep a copy of it on a clipboard to be completed by the patient. HHS currently requires the patient sign this form, but if HHS’s proposal is finalized, it would eliminate a doctor’s office from having to obtain a patient’s signature on this form acknowledging receipt of the notice. This will mean covered entities will have one less form for patients to fill out and sign, and one less form for your practice to collect and maintain.

What Changes Should You Be Aware Of As It Pertains To MACRA/MIPS?

If it seems like MACRA/MIPS changes every year, that is because it does. Each year, CMS
(Center for Medicare and Medicaid Services) issues a proposed and then final rule for the changes made to MACRA. While CMS makes changes to both the Merit-based Incentive Payment System (“MIPS”) and the Advanced Alternative Payment Model (“APM”), most doctors, and especially oncologists and hematologists, fall under the MIPS participation track for reimbursement. In 2018, the final rule was about 1600 pages long and changed or added to the regulations for complying with MACRA/MIPS. For 2019, the final rule was almost 1000 pages long and again changed or added tons of regulations for complying. For 2020, you should expect there to be another proposed and final rule for MACRA/MIPS, and you can expect that rule to be very long and complex.

Most doctors we service tell us something like “my electronic medical record (“EMR”) software handles that.” While this may be true, how good of a job does it do? EMR’s were not designed to comply with MIPS. They were designed solely to help maintain an electronic version of medical records that would allow a physician to easily review a patient’s record no matter where the doctor might be, and to help with billing. EMR’s like eClinicalWorks, Allscripts, and others have been sued (and lost) in federal court for stating they could help clients comply with the Meaningful Use program (now part of MIPS as the Promoting Interoperability category), only to have the clients end up paying back the Meaningful Use grants they received from the government. While EMR’s are a necessary evil these days, relying on them to do your MIPS reporting potentially could cause your practice to fall out of compliance and, as a result, lose the opportunity to increase Medicare Part B reimbursements.


Last year, only Physicians, Physician Assistants, Nurse Practitioners, Clinical Nurse Specialists, and Certified Registered Nurse Anesthetists had to comply with MIPS. This year, these same groups of clinicians have to continue to comply (as long as they exceed the low volume threshold), but MIPS has added several new clinicians to the group. These include Physical Therapists, Occupational Therapists, Speech-Language Pathologists, Audiologists, Clinical Psychologists, and Registered Dietitians or Nutritional Professionals. Adding one of these clinicians to your group could require you to add them to your MIPS reporting.


Another change to MIPS this year is that the weights of the categories, and the total overall MIPS score you need to be neutral (meaning you don’t lose or gain any Medicare Part B reimbursement) have changed. Quality used to be worth 50 percent of your overall MIPS score. Now it is worth 45 percent. Cost, which was 10 percent of your overall score, has increased to 15 percent of your overall score. Promoting Interoperability remains at 25% of your overall score, and Improvement Activities remains at 15% of your score. This is important, because those practices that did the bare minimum will now need to comply with more than one category to receive a neutral adjustment.

Last year, the overall score from MIPS that you needed in order to be neutral was 15 percent. This year, the overall score you need is 30 percent to be neutral. It is no longer sufficient to attest to the Improvement Activities category and be good to go. Now, your practice has to at least meet some combination of two categories in order to get the 30 percent it needs to be neutral. If your overall score is less than 30 percent, you will receive a negative adjustment to your Medicare Part B fee schedule in 2021.


The final changes we will review in this article are the changes to the low-volume threshold and the Opt-In option. Last year, in order to be excluded from having to comply with MIPS, you had to either see less than 200 Medicare beneficiaries in the calendar year, or bill less than $90,000 in allowed Medicare Part B charges. If you billed more than $90,000, but only saw 175 Medicare Part B patients in the calendar year, you were excluded from having to comply.

This year, those two criteria remain the same, but CMS has added a third option that must be met in order to be required to comply with MIPS. Now, a clinician must also provide more than 200 covered professional services under the Physician Fee Schedule. While this is a new hurdle in order to have to comply, it shouldn’t be too difficult for clinicians to meet, because most patients that are seen by a physician have more than one medical service provided to them at each visit. Thus, getting to 200 covered professional services usually is not an issue.

This year, as part of this low-volume threshold, CMS has included an Opt-In option. If a clinician meets or exceeds one or two original criteria above, the clinician can Opt-In to complying with MIPS. Opting-in makes sense because in order to get reimbursed from Medicare in the first place, you already document the majority of what you need to comply with MIPS anyway. For example, if you already bill more than $90,000 in Medicare Part B services, but don’t see enough Medicare patients, or provide enough Medicare services, you would be excluded from complying, but would also be excluded from getting an increase to your Medicare Part B fee schedule. Opting-In would allow you to comply with MIPS, and thus have an opportunity to increase your Medicare Part B Fee Schedule. A clinician that is otherwise excluded from complying with MIPS, but has the opportunity to Opt-In, should carefully consider whether opting-in would be worth the effort, especially considering they already are doing most of the work required to comply with the law. Remember, the Opt-In option for clinicians is so new that most EMR’s are unable to help the clinician with this opportunity.


This article touched on just a few of the upcoming changes to HIPAA and MACRA/MIPS. With MACRA/MIPS constantly changing, and HIPAA preparing for massive changes, physicians often do not have the time to stay up to date. Most will rely on their EMR’s to collect and report for them. However, solely relying on an EMR to collect and report for you is like bringing a bat but no glove to a baseball game; you’ll be able to succeed in some of the game, but not the entire game. MACRA/MIPS is very much a team effort. Physicians should be fully aware of all their options when it comes to compliance, and should realize that complying with MACRA/MIPS laws is truly a “you get what you pay for,” type environment, whereas HIPAA compliance laws are mandatory.

Physicians went to school to treat patients, not to be compliance officers. Their staff, while fully dedicated to the job at hand, don’t have the time to keep up with these laws either. Compliance has become a full contact sport, and physicians need to ensure they have a complete team, and that relying solely on one group, or one aspect, can cause more headaches than the initial monetary savings may be worth. These are major changes to legal requirements that physicians and clinicians have to now comply with on a daily basis. The slightest mix up can cause extensive fines, penalties, or reduction in reimbursement. The laws keep changing, are you and your practice fully prepared?

Note: This article was written for the April/May/June 2019 SOAPBox News by Kyle Haubrich and Jacob Grimes, Sandburg Phoenix & Von Gontard, PC; and Trish Breingan, North Shore Computer, Inc.