• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity

    Washington Debrief: Senate Bill Would Make MU Changes; MACRA Timeline May Change

    Oct. 5, 2016
    A bill introduced into the Senate last week would add significant flexibility for Meaningful Use program participants in three key ways.
    Capitol Building

    Meaningful Use

    Senate Bill Would Make Permanent 90-Day Reporting Period, Redefine Pass/Fail Construct of MU

    Key Takeaway: A bill introduced into the Senate last week would add significant flexibility for Meaningful Use program participants in three key ways: permanent annual 90-day reporting periods, redefines a “Meaningful User” as meeting 70 percent of measures and extending current hardship exemptions.

    Why It Matters: The bill introduced by the Senate “REBOOT” group, would leverage three reasonable policy changes to infuse flexibility into the Meaningful Use program beginning with the current program year, if passed.

    The EHR Meaningful Relief Act (S. 3173), sponsored by Senator John Thune (R-SD), and cosponsored by Senators Lamar Alexander (R-TN), Mike Enzi (R-WY), Richard Burr (R-NC), Pat Roberts (R-KS) and Bill Cassidy (R-LA),  makes three policy changes to the Meaningful Use program:

    1. 90-Day Reporting Period – The legislation both would uphold the recent proposal from the Centers for Medicare and Medicaid Services (CMS) for a 90-day reporting period in 2016, but also continues the policy in perpetuity.
    2. Removal of All-or-Nothing Construct – The legislation adds a new threshold of 70 percent of metrics met in order to avoid a payment adjustment.
    3. Flexibility in Hardship Exemptions – At the end of 2015, Congress passed a law to expand CMS’ authority to grant hardship exemptions to Meaningful Use participants, including to those that are switching electronic health record (EHR) vendors.

    CMS Administrator Acknowledges MACRA Timeline May Change During Senate Hearing

    Key Takeaway: Appearing before the Senate Committee on Finance, Acting Administrator at the Centers for Medicare and Medicaid Services (CMS), Andy Slavitt, cited potential flexibility in either the start date of the Medicare Access and CHIP Reauthorization Act (MACRA) policies or a shortened reporting period to enable participants the best chance at success.

    Why It Matters: CHIME, along with many other organizations in response to the proposed rules that would govern the Merit-based Incentive Payment System (MIPS) and Alternative Payment Models (APMs) under MACRA, have cited the timeline for the implementation of the new Medicare eligible clinician payment mechanisms to be overly aggressive, calling for adjustments in implementation timing. These concerns are shared by many lawmakers including Finance Committee Chairman Orrin Hatch (R-UT), who questioned whether a few months at the end of the year will give clinicians enough time to prepare.

    Senators voiced their concerns about the ability of small and rural providers to successfully participate in MACRA, which includes a version of the Meaningful Use program renamed “Advancing Care Information.” Senator Debbie Stabenow (D-MI), expressed concerns about the lack of interoperability and challenges rural providers face leveraging their electronic health record, which is necessary for either pathway for payment under MACRA, to improve patient care.

    The acting administrator highlighted efforts to infuse flexibility into how clinicians can participate in the new payment policies as well as intentions to reduce reporting burdens to demonstrate compliance. CMS is now in the process of finalizing the MACRA rule, which is expected to be released this fall.

    Patient ID

    House Committee Suggests in FY17 Budget Proposal, HHS Can Work on Patient Matching with Industry

    Key Takeaway: To accompany the House version of the Labor, Health and Human Services and Education Appropriations bill, the Committee clarified that the lack of a national approach to patient matching is among the most significant barriers to nationwide interoperability and would allow the Department of Health and Human Services to work with the private sector on matching initiatives.


    Why It Matters: Congress has voiced their opposition to the Department of Health and Human Services (HHS) from developing of adopting a unique patient identifier since the 1999 federal budget. Although the proposal passed by the House Committee on Appropriations this week continues the same ban, housed in Section 510 of the legislation, the Committee says that CMS and ONC can provide technical assistance to private sector-led initiatives on patient identification.

    The House Committee report language says, “Unique Patient Health Identifier.—The Committee is aware that one of the most significant challenges inhibiting the safe and secure electronic exchange of health information is the lack of a consistent patient data matching strategy. With the passage of the HITECH Act, a clear mandate was placed on the Nation’s healthcare community to adopt electronic health records and health exchange capability. Although the Committee continues to carry a prohibition against HHS using funds to promulgate or adopt any final standard providing for the assignment of a unique health identifier for an individual until such activity is authorized, the Committee notes that this limitation does not prohibit HHS from examining the issues around patient matching. Accordingly, the Committee encourages the Secretary, acting through the Office of the National Coordinator for Health Information Technology and CMS, to provide technical assistance to private-sector led initiatives to develop a coordinated national strategy that will promote patient safety by accurately identifying patients to their health information.”

    While there is still a long road ahead for the FY17 funding bills, including that for HHS, this important step forward will support CHIME’s efforts to educate members of congress and the administration on the importance of a national solution for patient identification.

    Cybersecurity

    OCR Releases Industry Guidance on Ransomware, CHIME to Form Cybersecurity Policy Work Group

    Key Takeaway: Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released much-anticipated guidance on ransomware incidences and the likelihood of a breach. The guidance infers that if a ransomware attack occurs, a breach should most likely be reported. 

    Why It Matters: Hospital victims of ransomware attacks have gotten attention from the press and lawmakers alike, spurring action from OCR to clarify whether a ransomware incident is likely a breach under the Health Insurance Portability and Accountability Act (HIPAA.)

    The guidance, which came in the form of a fact sheet, defines ransomware and outlines signs of an intrusion and discusses risk mitigation and back-up procedures. Unless covered entities under HIPAA can demonstrate a "low probability" that patient information has been compromised in a ransomware incident, then the guidance stipulates that a breach is presumed. Thus, triggering notification affected individuals according to existing HIPAA regulations. Providers and insurers must then determine if patient information was acquired or viewed, the extent to which data loss was mitigated, and to whom the disclosure was made.

    OCR Audits Underway

    Key Takeaway: More Office for Civil Rights (OCR) audits will be underway for providers.

    Why it Matters: OCR announced last week that they are pursuing Phase II of their audit program centered on ensuring covered entities and their business associates are complying with Health Information Technology for Economic and Clinical Health Act (HITECH) which requires audits are performed to ensure privacy, security and breach notification requirements are being met.

    Specifically, OCR states, “In its 2016 Phase 2 HIPAA Audit Program, OCR will  review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.” They also say that a third set of audits will be conducted onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit.

    OCR has Q’s and A’s on their plans for Phase II which can be found here.  OCR sent letters to CEs and Bas they plan to audit for the fall, on July 11th.  167 entities are expected to be audited under this phase.

    Continue Reading

    Sponsored Recommendations

    Six Cloud Strategies to Combat Healthcare's Workforce Crisis

    The healthcare workforce shortage is a complex challenge, but cloud communications offer powerful solutions to address it. These technologies go beyond filling gaps—they are transformin...

    Transforming Healthcare with AI Powered Solutions

    AI-powered solutions are revolutionizing healthcare by enhancing diagnostics, patient monitoring, and operational efficiency - learn how to integrate these innovations into your...

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.