Meaningful Use / MACRA
CMS Finalizes MU Changes for Hospitals
Key Takeaway: CMS finalizes 90-days for Meaningful Users for 2016 AND 2017
Why it Matters: CMS has heeded our call for extending the 90-day reporting period not only for 2016 but also for 2017 which they included in the final rule on hospital outpatient prospective payment system (OPPS). We will continue to advocate aggressively for a 90-day period for 2018 and beyond.
CMS also finalized a number of changes for hospitals which will provide welcomed relief for hospitals in 2017, 2018 and beyond. CMS published the final rule as we were in route to our Fall Forum so we look forward to digging our teeth into this and providing you with more details shortly. We can tell you that a number of measures (i.e. CPOE and CDS) have been removed and that several measure thresholds have been substantially reduced. These combined with the shorter reporting periods should provide some nice breathing space for hospitals. The CMS fact sheet on the final rule can be found here.
Cybersecurity
FDA Receives Letter from Lawmakers on Devices
Key Takeaway: Last week lawmakers expressed concern about medical device cybersecurity and the current capabilities of the Food and Drug Administration (FDA) to aid the industry in mitigating security vulnerabilities.
Why It Matters: Among the many cybersecurity threats facing the nation’s health IT leaders, medical device cybersecurity vulnerabilities have begun to make headlines and have caught the attention of lawmakers from the House Committee on Energy & Commerce. With the reauthorization of the Medical Device User Fee Amendments (MDUFA) set for Congressional approval before the start of FY18, lawmakers will take close look at how the FDA evaluates the safety and efficacy of medical devices.
Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sent a letter to FDA Commissioner Dr. Robert Califf and the Director of the Center for Devices and Radiological Health (CDRH) Dr. Jeffrey Shuren, requesting information by December 16th about how the FDA is assisting the industry in mitigating cybersecurity risks, educating providers and manufacturers and protecting patients.
The letter poses a number of questions to the FDA, including those listed below.
- How is the FDA is working with medical device manufactures to ensure that known vulnerabilities to patients and/or entire health systems are mitigated and disclosed to all users? What efforts are currently underway to ensure that providers and patients are properly informed about known vulnerabilities among devices currently deployed for patient care?
- Given the potentially long lifecycle of some devices, what is the FDA doing to ensure device security and patient privacy is accounted for throughout the prolonged use of devices despite the emergence of new threat vectors?
- How is the Agency coordinating its cybersecurity initiatives with other agencies, both within the Department of Health and Human Services (HHS), and across the federal government, including the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC)?
FTC weighs in on HIPAA
Key Takeaway: Sharing consumer health information? FTC says look to HIPAA and the FTC Act
Why it Matters: FTC writes in a recent fact sheet, “Does your business collect and share consumer health information? When it comes to privacy, you’ve probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it’s not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC Act.”
Interoperability
OCR wades into information blocking
Key Takeaway: OCR recently published guidance instructing business associates that information blocking can constitute a HIPAA violation.
Why it Matters: Beyond the obvious reasons of why a business associate refusing a provider ongoing access to patient PHI following termination of a contract or a contract dispute is a problem, this is also an issue for patients. OCR has put their stake in ground by saying that vendors may not block access to patient information otherwise they risk violating HIPAA. The guidance is posted in the form of an FAQ which can be found here.
NIST update
Key Takeaway: NIST spins up effort on infusion pump security and releases new workforce cyber tools.Bottom of Form
Why it Matters: Anyone interested in working with NIST to tackle infusion pump security has an opportunity to do so under a new initiative. The new effort is being billed as a, “collaboration with members of the health information technology (IT) community, medical device manufacturers, and cybersecurity vendors.” NIST has also published new workforce resources which are detailed below.
New Cyber Talent Resource: The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released a resource that will help U.S. employers more effectively identify, recruit, develop and maintain cybersecurity talent. The draft NICE Cybersecurity Workforce Framework (NCWF) provides a common language to categorize and describe cybersecurity work to help organizations build a strong staff to protect their systems and data.
Webinar on cyber apprenticeships: On November 16 at 2pm ET, NIST is hosting a webinar titled, “Building Your Cybersecurity Team with Apprenticeships,” which aims to highlight some of the innovative programs introducing the apprenticeship model to the U.S. cybersecurity industry. A speaker from the Department of Labor and the Tidewater apprenticeship program which is approved by the DOL will be featured. The Tidewater apprenticeship program aims to prepare students to enter into critically needed Information Security Analyst roles in cybersecurity, computer forensics or incident response. Tidewater Community College has been named a National Center of Academic Excellence in Cyber Defense by the DHS and NSA. Interested attendees can go here to register.
Interactive Career Resource: NIST has rolled out CyberSeek, an interactive online tool designed to make it easier for cybersecurity job seekers to find openings and for employers to identify the skilled workers they need.
Chronic Care Legislation Includes Telehealth Provisions
Key Takeaway: A draft bill released by the Senate Committee on Finance focused on improving care for the chronically ill provides opportunities to expand telehealth and remote patient monitoring.
Why It Matters: In a partisan fashion, members of Congress in both the House and Senate have pursued a number of ways to improve access to telehealth services for Medicare beneficiaries. The latest effort builds on the Senate Finance Chronic Care Working Group’s efforts to improve care for those with chronic conditions.
The draft Creating High-Quality Results and Outcomes Necessary to Improve Chronic Care Act or “CHRONIC Care Act” released last week by the Senate Finance Committee, would allow Medicare Advantage plans to account for certain telemedicine services in the capitated payments they receive from Medicare. The draft bill also includes three policies from the CONNECT for Health Act, sponsored by Senator Brian Schatz (D-HI), which CHIME and many in the industry have endorsed. The three policy changes include: amending how Medicare's geographic requirement restrictions for some shared savings accountable care organizations (ACOs), allowing patients to receive telemedicine visits in their homes, and reimburse for stroke visits via telemedicine and allow the review of stroke patient brain scans remotely to determine treatment options.
CHIME has been engaged in the Committee’s efforts to enhance chronic care across the nation since they began in the summer of 2015, submitting comments in June 2015 focused on telehealth and care coordination. CHIME again submitted comments in January on the group’s policy options proposal which foreshadowed some of the proposals included in the draft legislation released last week.