Important dates

November 22nd, 2019

Dates to mind

December 31st, 2019
MIPS exception/exemption deadline for 2019 data – move 25 points from Interoperability to Quality.

January 1st, 2020
Clinical decision support mechanism (CDSM) required for all imaging orders. Providers must use a qualified CDSM program.

Walmart requires electronic prescribing of controlled substances (EPCS). Other states will follow this behavior.

January 2nd, 2020
MIPS 2019 data submission window is open.

January 14th, 2020
Microsoft discontinues support for all Windows 7 and Windows Server 2008 operating systems. 

March 31, 2020
MIPS 2019 data submission window is closed

January 1st, 2021
Medicare requires EPCS for Part D. 

All dates are subject to change, as we know from past experience, but be alert and ready.

Posted by Jim Sherrill | Topic: News  | Category: News

Bit of a breather for MIPS

September 24th, 2019

2019 MIPS exemption!

For small (<15 "Eligible Clinicians") practices, you may choose to exempt from Promoting Interoperability (PI, or Meaningful Use) and move those 25 points to Quality measures for 2019. 

The hardship exception application is simple:

MIPS > Reporting > Reporting Factors Overview > Exception Applications

Click Apply in the "PI Hardship Exception Application Window is Now Open" green-backgrounded rectangle.

Choose Group or Individual, then complete the rest of the fields. Then, rather quickly for a huge government program, the provider should receive an e-mail confirmation of your approved application. Boom, now your existing Quality efforts through 2019 are now providing you more bang! 

Posted by Jim Sherrill | Topic: News  | Category: News

Patient payments

September 21st, 2019

Get paid!

Another value-added reseller recently advised us that some practices are using Papaya for patients to pay them quickly. 

This service lets patients install an application on their phone, scan their printed statement, then pay immediately via the application. Now that is not perfect, because it implies that you have generated & sent a statement, i.e. spent time and money, but it is an attractive alternative. Have a online statement process for patients? No problem, the patient can import that statement image into the application. Papaya is an EASY way for patients to pay you. 

This is a nice use of technology: Papaya recognizes the scanned statement elements, processes the payment, and sends the money to you. Your mileage may vary, we have not used this process and dragons may dwell nearby, so caveat emptor as always! Best wishes for speedy payments.

Posted by Jim Sherrill | Topic: Tips  | Category: News

History Time

September 7th, 2018

Battle of Chickamauga, 155th Anniversary


If you are interested in the massive and awful battle, there are many programs at the Chickamauga and Chattanooga National Military Park this month.

Please have a look and participate if you are able!

Posted by Jim Sherrill | Topic: News  | Category: News

Equifax note

September 12th, 2017

I share a tweaked version from the SANS Institute. In my opinion, steps 3, 4, and 5 are the most useful. #3 costs $5-10 per bureau and requires you to unfreeze each as needed - so be advised. I add that is the only legitimate (by that I mean truly direct to the bureaus AND free of charge) way to check your credit once per year at the three main bureaus. Due to the volume of activity at the bureaus now, calling the phone numbers below may be the most effective way to act.

In addition to the options below for this incident, remember to stay wary, skeptical, and safe; do not click stuff that you do not trust.


Equifax is one of four credit rating services, called Credit Bureaus; the other three are ExperianTrans Union and Innovis. These companies harvest and sell your financial data and credit ratings, plus that of effectively every United States citizen. Equifax announced that they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised, including names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. This is not your fault. Companies collect a huge amount of data about people, data that you have no control over nor is there much you can do to protect it. This situation is Equifax's fault. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. Here are some steps that you might consider.

  1. Equifax Website: Equifax has created a website where you can learn more about the incident. One of the options they offer is you can check to see if your data is believed to be compromised. While this is a nice feature, operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened.
  2. Credit Monitoring: You can sign up for free for Equifax's TrustedID credit monitoring service (Note: you may be asked to come back later to set it up, it appears that Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, you may limit certain legal recourse which you might have otherwise had.). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent write-up by Brian Krebs on the limitations of Credit Monitoring.
  3. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. A security freeze locks your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you!) a loan or credit card. The challenge is that you have to manually setup and pay for a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. But then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four credit bureaus.
  4. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdrawal or credit card charge is over a certain limit, or they can send you daily reports of your activity. We highly recommend that you enable at least one of these.
  5. Social Engineering Attacks: Be warned, in the coming days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. This is why we have an active security awareness program, to help you understand and defend against attacks like these.

If you do get hit with Identity Fraud, the FTC has created a site to help you recover. The Equifax situation will be fluid, so expect frequent new updates and findings. However, the behaviors above apply regardless of how the situation changes, so we recommend that you focus on those.

FREEZING UPDATE, from a commenter named Mike on Krebs' blog


Equifax: 866-349-5191 choose option 3 for a "Security Freeze"

Experian: 888-397-3742
- Press 2 "To learn about fraud or ADD A SECURITY FREEZE"
- Press 2 "for security freeze options"
- Press 1 "to place a security freeze"
- Press 2 "…for all others"
- Enter your info when prompted

Transunion: 888-909-8872
- Choose option 3, you'll be prompted to enter your zip code, SSN, and so on

Innovis: 800-540-2505
- Press 1 for English
- Press 3 "to place or manage an active duty alert or a SECURITY FREEZE"
- Press 2 "to place or manage a SECURITY FREEZE"
- Enter your info when prompted

Each automated system will try to push you to the company's website, ignore that! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze.


Posted by Jim Sherrill | Topic: News  | Category: Security

MIPS Overview

December 1st, 2016

It's time for more changes in how providers navigate Medicare payments, welcome to MACRA and MIPS. MIPS consolidates and changes the MU, PQRS, and VBM programs. Here are the more tedious program names from these acronyms: Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) -- Notice the clever nested acronym: Children's Health Insurance Program (CHIP) --, Merit-based Incentive Payment System (MIPS), Meaningful Use (MU), Physician Quality Reporting System (PQRS), and Value-Based Payment Modifier (VBM). The stated intent of these revised government programs is to achieve the "Triple Aim" of higher quality, lower spending, and better patient outcomes.

We will continue to add content as these programs develop and our products evolve to meet the new requirements. MACRA is 2,171 pages, so some of this information may change. Let's take a sip from the MIPS firehose now:

  • Each provider will receive a MIPS Score from 0 to 100
  • MIPS scores will be public and recalculated each year
  • Scores determine providers' yearly Bonus or Penalty

Four MIPS Performance Categories, for 2017 (percentages shift in 2018 and beyond)
Quality - 60%
Advancing Care Information - 25%
Clinical Practice Improvement Activities - 15%
Resource Use - 0%, but will be weighted and used for 2018 and beyond

Four MIPS Participation Options, for 2017
    No participation: Organizations not exempt from MIPS that do not send in any 2017 data will receive a negative 4% payment adjustment.
    Report one measure for a minimum 90-day period: One Quality, ACI, or CPIA measure will earn enough MIPS points (3 points, yes three, is the no-penalty threshold) to avoid a penalty and possibly earn a small incentive.
    Report more than one measure for a minimum 90-day period: More than one measure in any or all of the Quality, ACI, or CPIA categories avoids a penalty, maximizes the MIPS score, and potentially earns the highest possible incentive.
    Participate in an Advanced Alternative Payment Models (APM): Organizations that sufficiently participate through an Advanced APM earn a 5% Part B bonus and are exempt from MIPS.

Who is Eligible for MIPS
Physician assistant
Nurse practitioner
Clinical nurse specialist
Certified registered nurse anesthetist

In 2019 and beyond, these providers are added for MIPS:

Physical and Occupational Therapists
Speech-language Pathologists
Nurse Midwives
Clinical Social Workers
Clinical Psychologists
Dietitians/Nutritional Professionals

Who is Exempt from MIPS
First-year Medicare providers
Providers with a low volume of Medicare patients (less than $30,000 Medicare Part B or less than 100 Medicare patients)
Qualifying participants in eligible APM.Possibly exempt: Rural health clinics or Federally Qualified Health Clinics (FQHCs)

How do I know if I'm ready to participate in MIPS?

  1. Check that your electronic health record is certified by the Office of the National Coordinator for Health Information Technology. If it is, it should be ready to capture information for the MIPS Advancing Care Information category and certain measures for the Quality category.
  2. Consider using a qualified clinical data registry or a registry to extract and submit your quality data.
  3. Use the websites below to explore the MIPS data your practice can choose to send in. Check to see which measures and activities best fit your practice.

Where to learn more


Posted by Jim Sherrill | Topic: News  | Category: News

Subject Line - IT'S A TRAP!

October 20th, 2016

"Business E-mail Compromise," or BEC, is the name for malicious attempts to use a fake Reply-to field or a fake Display Name to compromise humans' money or information. For example, an attacker sends an e-mail with the Display Name set as that of the CEO. Employees without alert skepticism may respond to the implied trusted request, not noticing that the money or data is actually going to the attacker.

Here are the top ten recent BEC Subject Lines, in descending frequency:

  • Request
  • Payment
  • Urgent
  • hello
  • hi
  • Follow up
  • Quick One
  • Urgent Request
  • [blank]

The first five make up over 20% of the imposter e-mails.

In contrast, please review a list from one month of one address at MSA - one of our defensive layers blocks these messages from ever arriving in an Inbox. These messages have malicious content that encrypts files and forces you to pay a ransom or restore from a safe backup. Notice the variety in Subject Lines as well as the improbable From names & e-mail addresses. 

email block list

If you are not blocking these messages, please use caution and common sense before opening or previewing anything like these samples!

Posted by Jim Sherrill | Topic: News  | Category: Security

Maintain composure, do not click

September 20th, 2016

There are many versions now of the encrypting "ransomware" programs. Some not only encrypt your business documents but also delete critical files from your server and stop your operations entirely! The only sound way out after infection is to restore from backup - paying the ransom is almost never recommended.

How to reduce risk

  • As always, never open ANY suspicious attachments (e.g. zipped .js, .wsf or .vbs files)
  • Keep recent backup copies of important data in a secure place either online or offline
  • Ensure that your system and applications are fully updated and patched


Posted by Jim Sherrill | Topic: Tips  | Category: Security

Medical Software Associates. 1021 McCallie Avenue. Chattanooga, TN 37403