A little-known feature of a proposed law adjusting physician reimbursement could create problems with HIPAA compliance, particularly if staff members are not informed.

Access to patient information is very broad under the Medicare Access and CHIP Reauthorization Act (MACRA), says Dan Golder, DDS, MBA, principal at Impact Advisors, a consulting group in Cody, WY. What could be a HIPAA violation in most circumstances might be allowed under MACRA, he says.

MACRA was enacted April 16, 2015, to eliminate the sustainable growth rate (SGR) formula that threatened every year to drastically cut physician compensation. MACRA limits aggregate Medicare physician payments to a 0.5% increase per year through 2019, and 4% of a physician’s annual Medicare payments will be tied to one of two paths: the Merit-Based Incentive Payment System or participation in Alternative Payment Models. (To access the rule, go online to http://bit.ly/1VCRVQn.)

Hospitals with employed physicians and owned or affiliated physician practices will be affected by MACRA. The new system is effective Jan. 1, 2017, but CMS announced in September that it is providing options for physicians to enter more gradually and with fewer penalties.

The rule allows in-person audits of a physician’s or facility’s electronic health record (EHR) in a way that Golder says is unprecedented. “They might have gotten audited under Meaningful Use, but that meant getting a letter and sending some data in,” Golder says. “These audits may be in-person audits with people coming in and looking at your EHR. That’s a giant leap in terms of access.”

As the proposed rule is written, the auditors would not be constrained by HIPAA, Golder says. “Government entities do have some access to patient data, but it seems that auditors looking at financial information should be covered under the HIPAA umbrella,” Golder says. “There are no specifics about what the audits will be like, except for saying that auditors may come in, and they will have access to PHI [protected health information]. That’s part of the legislation.”

If the PHI access remains in the final rule, Golder advises risk managers to alert appropriate managers in the hospital or health system so they know the auditors can see PHI without any special permission. With hospital employees so well trained and sensitive about HIPAA compliance, it would be natural for them to resist the auditors, he says. “This will be inconsistent with everything they know about HIPAA and PHI, so there could be confrontations and delays if employees are not forewarned,” he says.