Washington Debrief: Cybersecurity Information Sharing Grants Available from HHS

Oct. 5, 2016
Two grants have been made available by the Department of Health and Human Services (HHS) to improve information sharing on cybersecurity threats within the Healthcare and Public Health (HPH) Sector.


Cybersecurity Information Sharing Grants Available from HHS

Key Takeaway: Two grants have been made available by the Department of Health and Human Services (HHS) to improve information sharing on cybersecurity threats within the Healthcare and Public Health (HPH) Sector.

Why it Matters: Two divisions of HHS, the Office of the National Coordinator (ONC) and the Assistant Secretary for Preparedness and Response (ASPR), have announced grant opportunities to further cybersecurity information sharing efforts. HHS hopes these opportunities will facilitate the sharing of cybersecurity threats identified in the HPH Sector with relevant stakeholders in the industry as well as federal partners, including the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The Funding Opportunity Announcements released by ONC and ASPR can be renewed for up to five years and call for an existing ISAO or Information Sharing and Analysis Center (ISAC) to:

  • Provide cybersecurity information and education on cyber threats affecting the (HPH) Sector
  • Expand outreach and educational activities to assure that information about cybersecurity awareness is available to the entire HPH Sector
  • Equip stakeholders to take action in response to cyber threat information
  • Facilitate information sharing widely within the HPH Sector, regardless of the size of the organization

Details are outlined below:

  • ONC grant:
    • Applications due: August 19
    • Grant amount: $250,000
    • Eligible to apply: Among the types of entities that can apply are public and private non-profits and entities already providing outreach and technical assistance to participating organizations on cyber threats
  • ASPR grant:
    • Applications are due: August 25
    • Grant amount: $150,000
    • Eligible to apply: Nonprofits with a 501(c)(3) status other than higher education institutions

Meaningful Use

CMS Announces Cardiac Bundling Program – Contains IT Requirements

Key Takeaway: CMS has published a proposed regulation on bundling cardiac care.

Why it Matters: CMS’ recently published rule proposes to implement three new Medicare Parts A and B episode payment models targeting care for Medicare fee-for-service beneficiaries receiving services during acute myocardial infarction, coronary artery bypass graft and surgical hip/femur fracture treatment episodes. All related care within 90 days of hospital discharge will be included in the episode of care. This program would apply to care beneficiaries receiving care in acute care hospitals in certain selected geographic areas.

Pursuant to the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), there are two pathways for physicians to be reimbursed beginning in 2019; the Merit-Based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (APMs). CMS has proposed that in order for episode payment models (EPMs) to meet the criteria to be Advanced APMs, EPM participants would have to use Certified Electronic Health Record Technology (CEHRT) and meet financial risk requirements to be in Track 1 of each EPM. CMS has also proposed that those in EPMs who are not using CEHRT would be in Track 2 and thus not qualify for being an Advanced APM. CMS has proposed similar requirements for the Comprehensive Care for Joint Replacement (CJR).

OIG Report Details EHR Downtime

Key Takeaway: The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has published a new report, “Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans,” examining the downtime of electronic health record (EHR) systems.

Why it Matters: Federal agencies and Congress continue to evaluate potential impacts on patient safety resulting from EHR downtime, whether it result from internal hardware disruptions or cyberattacks. Most recently OIG published a report which they described doing because, “Disruptions, such as natural disasters or technical malfunctions, can make electronic health records (EHRs) unavailable to hospital staff. Prior OIG work found, for example, that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. More recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs.”

In studying the issue, OIG found that almost all hospitals have written EHR contingency plans and that approximately two-thirds said they addressed the four Health Insurance Portability and Accountability Act (HIPAA) requirements reviewed by the OIG, including: a data back-up plan, a disaster recovery plan, an emergency-mode operations plan and testing and revision procedures.

OIG concluded that the growth and evolution of threats to digital health information validates the need for EHR contingency plans. Further, OIG reinforced their prior recommendation that the Office for Civil Rights (OCR) implement a permanent audit program for HIPAA compliance.

Members of Congress, including Representative Ted Lieu (D-CA-33) and Will Hurd (T-TX-23), cited concerns about EHR downtime and specifically questioned potential patient safety implications of ransomware events in a recent letter to the OCR.

Patient Safety

FDA Clarifies Regulation of Wellness Products

Key Takeaway: The Food and Drug Administration (FDA) has published new guidance on “general wellness” products.

Why it Matters: Much to do has been made recently over whether a wellness product must undergo formal approval from the FDA. As companies try to navigate an increasingly complex regulatory landscape, the FDA has been pressured to publish guidance to help better understand when a product is required to be cleared by the agency. To that end, the FDA published guidance, “Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices,” and welcomes comments per the notice in the federal register.

According to the FDA, the guidance is intended to, “provide clarity to industry and FDA staff on … compliance policy for low-risk products that promote a healthy lifestyle (general wellness products).” The FDA adds they hope the guidance will improve the “predictability, consistency, and transparency” of the agency’s oversight of these products. For purposes of the guidance, the FDA says “general wellness products" are products which “are intended for only general wellness use as defined in the guidance and present a low risk to the safety of users and other persons.”

Members of Congress have urged the FDA not to impede innovation in health IT through overregulation, thus legislation in both the House and Senate has been introduced to clarify the FDA’s role in the regulation of health IT products. Representative Marsha Blackburn (R-TN-07) initially authored the Sensible Oversight for Technology Which Advances Regulatory Efficiency (SOFTWARE) Act (SOFTWARE Act) in 2013, and given the continued interest in this topic, the proposal was included in the 21st Century Cures Act (H.R. 6), which passed the House last July. Similarly, Senators Michael Benett (D-CO) and Orrin Hatch (R-UT) have introduced the Medical Electronic Data Technology Enhancement for Consumers’ Health (MEDTECH) Act, which was approved by the Senate Health, Education, Labor and Pensions Committee in April to offer a slightly different perspective on where the FDA should step into regulate health IT products. A comparison of the legislative proposals, the SOFTWARE Act and MEDTECH Act, can be found here.


President Signs Comprehensive Opioid Abuse Bill into Law, Includes Directive to Integrate PDMPs and EHRs

Key Takeaway: On July 22, President Obama signed the Comprehensive Addiction and Recovery Act of 2016 into law, which included a direction for grant recipients to integrate Prescription Drug Monitoring Program (PDMP) Data into electronic health record (EHR) systems.

Why It Matters: The law directs states to encourage the incorporation of the latest technological advances available for the integration of PDMP data directly into the workflow of prescribers, which includes the need for interoperability with EHRs. The states receiving the $10 million in grant funding must report on interoperability with health information technology systems such as electronic health records, health information exchanges, and e-prescribing, and whether or not the state provides automatic, up-to-date or daily information about a patient when a practitioner requests information on a patient.