An important conversation I’ve had with healthcare providers is the topic of MACRA or Medicare Access and CHIP Re-authorization Act. The biggest takeaway I’ve had is that physician’s are only vaguely aware of this massive piece of legislation that has the potential to upend how they practice medicine. I can understand why this is the case, over the last 10 years healthcare providers have been hammered with so many changes (HIPAA, HITECH, HL7, ICD-10, EMRs) that I’m surprised they still know how to get to work in the morning.
As an industry the consensus around MACRA and it’s benefits can be distilled to one word “terrible”. With an manifold increase in bureaucratic oversight and reporting and a tiny bump in compensation we will see doctors, who can, transition away from accepting insurance and move toward cash on the barrel.
These sentiments are reflected in the cybersecurity community as well. HIPAA and HITECH were a substantial, if ham-handed, push to get healthcare entities to address data security. MACRA has little in the way of assisting healthcare providers deal with securing patient data. The new legislation is primarily focused on the transition to “population health” and pay for performance models rather than cybersecurity. There is a nod toward data protection with MACRA requiring the removal of Social Security Numbers (SSNs) from Medicare Cards. The purported benefits from this initiative is to better protect patient financial and federal healthcare information.
However, SSNs cost about a buck on the black market and it’s a good chance that any patient that is receiving federal benefits has already had their SSN compromised long ago. Just look at the government hacks (OPM, IRS, VA, etc.) that have occurred over the last several years.
As for private financial information, the removal of the SSN on the cards may have some small positive impact but financial institutions have done only a fraction better at protecting sensitive information. A quick data correlation on a patient name in widely available online hacker databases can confirm SSNs and other information without physical access to a Medicare or Medicaid card.
In the end the removal of SSNs from Medicaid cards smacks of too little and far too late. More akin to government mandates on buggy whip construction.
Let me know your thoughts in the comments below.