Cyberattack Prompts CMS to Extend 2023 MIPS Flexibilities
By Emma Freer

Editor's note: This story has been updated to reflect a deadline extension.

The Centers for Medicare & Medicaid Services (CMS) recently announced two flexibilities related to Medicare’s Merit-Based Incentive Payment System (MIPS) 2023 performance year, citing the recent cyberattack on Change Healthcare and heeding advocacy by organized medicine.  

First, CMS extended the data submission period until April 15 at 7 pm CT for all participants. At stake is a pay cut of up to 9% in the 2025 payment year. 

Second, the federal agency reopened applications for an extreme and uncontrollable circumstances exception, also until April 15 at 7 pm CT. MIPS participants impacted by the cyberattack may apply for the exception to request reweighting of MIPS performance categories by the same deadline. 

2023 MIPS data submission

MIPS-eligible physicians and health professionals must submit data to CMS each year. Data submitted for a given performance year affects your Medicare payment two years later.  

Scoring for the 2023 MIPS performance year covers a 100-point scale based on clinicians’ performance across four categories: quality, cost, improvement, and promoting interoperability.  

To avoid a pay cut in the 2025 payment year, clinicians will need a final MIPS score of at least 75 points for the 2023 MIPS performance year, a threshold that remains unchanged from 2022. To earn an incentive payment of up to 9%, clinicians must score above 75.  

Unlike in previous years, MIPS no longer offers an exceptional performance bonus for high scorers. 

Clinicians must log in to the Quality Payment Program (QPP) website to submit their 2023 MIPS data or to review the data reported on their behalf by a third party. If you are using a registry, electronic health record, or other third-party submitted, check their deadlines, as they may be earlier than the CMS deadline. 

Texas Medical Association experts encourage physicians to ensure their data is accurate by the deadline on April 15 at 7 pm CT, when the window closes to correct any errors. Additionally, don’t wait until the last minute to submit in case a technical failure impedes your submission. 

To log in to the QPP website, clinicians must register in the Healthcare Quality Information System Access Roles and Profile system. For help with this process, download the QPP Access User Guide.  

Clinicians who are unsure about their MIPS eligibility for the 2023 performance year can verify their status using the QPP Participation Status tool

2023 MIPS hardship exception

In addition to extending the data submission deadline, CMS will consider hardship exception applications from eligible MIPS participants. Those applications also must be submitted by April 15 at 7 pm CT.  

The federal agency won’t approve applications submitted for reasons outside of the cyberattack or reweight any performance category for which it has already received data. 

To apply for an exception, sign into CMS’ QPP website. Then: 

  • Select “Exceptions Application” on the left-hand navigation; 
  • Select “Add New Exception;” 
  • Select “Extreme and Uncontrollable Circumstances Exception;” and 
  • Complete the application, selecting “Ransom/Malware” as the event type and including “Change Healthcare cyberattack” in the event description.  

For updates on the cyberattack, check out TMA’s Change Healthcare cyberattack webpage.

Last Updated On

March 19, 2024

Originally Published On

January 09, 2024

Related Content

Medicare | Quality reporting

Emma Freer

Associate Editor

(512) 370-1383
 

Emma Freer is a reporter for Texas Medicine. She previously worked in local news, covering city politics, economic development, and public health. A native Clevelander, she graduated from Columbia Journalism School and the University of St. Andrews.

More stories by Emma Freer