2017…Playing the #’s game with MACRA vs. Healthcare Security/Compliance




We are in Q2/2017 and based on the current political atmosphere in Washington re: Healthcare, one piece of legislation is here to stay regardless – Medicare Access & CHIP reauthorization Act of 2015 (MACRA). MACRA requires physicians/providers to participate in MACRA’s value based payment or face reductions in fees in Medicare Part B payments. Under MACRA, the MIPS (one of the two alternative pathways, and the second being APM, the alternative Payment method) performance in 2017, determines whether the provider will receive up to 4% adjustment to Medicare Fee for Service in the 2019 payment year. So, it’s essential for the CFO/CMO to understand and prepare for the key changes under the MACRA rule.

To understand and prepare for MACRA there is a cost involved in 2017. The costs are direct costs – advisory and consulting fees (hire a consultant or do it yourself); Software implementation and training (or prepare an extensive xl spreadsheet) and the Technical assessment. There are also the indirect costs, based on the initial reading of the MIPS score – what measures and solutions to provide to increase the score.

Then we have the yearly costs for healthcare security/compliance. The costs keep on increasing every year – need to develop an effective healthcare security / privacy program to combat the growing number of cybersecurity threats. The spending varies from 1%-6% of the Revenue on healthcare security. The healthcare security is increasingly about survival and there are more questions than answers:

  • Impact of breaches and ransomware?
  • How far do we need to go? In Resources – Time, Money and Physical resources allocated to Healthcare security.

Due to the shift in incentives from volume to value of care, the healthcare organization’s revenue may or may not increase unless there is Merger or Acquisition. So, what choices does the CFO has?

For e.g.

Provider Group Practice A (less than 25 Providers, Medicare Revenue Approx. $ 2.9 - $ 3.2M)





MACRA Costs (Consulting/Software/

Technical Assessment)

$ (60K)

$ (27K)

$ (27K)

Financial Risk - 4% Adjustment in 2019

(Every MIPS point counts)



$ 60-70K  + If any exceptional performance bonus

Cyber/Compliance Costs

$ (50-$ 60k)

$ (55-$ 65k)

$ (60-70k)





There are indirect costs for not spending on MACRA and/or Healthcare security/compliance. The costs for MACRA/MIPS score could be published on Physicians Compare, Healthgrades.com, etc. thus having a reputational impact on the organization.  The costs for breach in Healthcare security/compliance are lawsuits, reputation, and loss of income.

The costs for MACRA and Security/Compliance costs are now, because the need is now to protect the future. Both MACRA and Healthcare security are vital to the organization and as a CFO the choice is whether to manage the costs on the P&L or to be a strategic advisor. Being a strategic advisor helps you spend money on MACRA and see the return on investment beginning year 2019. Also, being a strategic advisor and spending money on the healthcare security/privacy guards your organizations from any cyber threats. Both are critical to continuous improvement and success.

At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring the providers have the right procedures, policies and tools to monitor privacy AND Vendor risk management. MindLeaf and Intel are offering complementary breach security assessment for healthcare organizations (www.mindleaf.com/breachsecurityprogram.html).

MindLeaf also helps organizations plan for MACRA with tools from software vendor to do an evaluation for the initial MACRA score. We help provider organizations understand the Merit-based Incentive Payment System:

  1. Analyze the Current State
  2. Create a Roadmap
  3. Implement a Solution
  4. Optimize and Improve.



As our former President Lincoln said, “I will prepare and someday my chance will come.”


 Schedule your assessment now.



Paresh K. Shah

Labels: HIPAA Privacy