Policy & Value-Based Care
Ready To Take On Risk? Most Hospital Finance Execs Say Yes, Per New Report
More than seven in 10 hospital and health system senior finance executives believe their organizations are ready to assume increased levels of risk through commercial payer and Medicare contracting models, and Medicare Advantage, according to a new survey from consulting firm Navigant and the Healthcare Financial Management Association (HFMA).
The survey, which included 170 hospital and health system senior finance executive respondents, also showed that providers are partnering on or launching provider-sponsored health plans (PSHP) as part of the risk-assumption strategies. In fact, 44 percent of respondents say their organizations are already part of a PSHP (25 percent) or plan to launch one in the future (19 percent).
The findings revealed that 72 percent of these executives both believe their organizations have the capabilities needed to support increased levels of risk and plan to take on additional risk in the next one to three years across the following:
• Commercial payer contracting models: 64 percent
• Medicare value-based models: 57 percent
• Medicare Advantage: 51 percent
While Medicare and commercial payers are increasing their value-based contracting offerings, there remains varying levels of engagement on risk arrangements in local markets, according to Navigant’s 2018 CEO Forum executive panel.
What’s more, the researchers noted that having the appropriate technology underpinning is essential to payer-provider risk arrangements. When asked in what areas they’re planning to increase investments (financial, labor) to enhance collaboration with payers and support increasing levels of risk, 62 percent of respondents suggested technological capabilities with more than half citing physician (57 percent) and member (56 percent) engagement.
Among executives suggesting their organizations will not pursue increased risk levels, 56 percent cited a lack of local market demand. Further, 42 percent of executives suggested operational processes, such as contract execution and care coordination and management, as the top challenge with maintaining risk-based capabilities.
However, even with their increased risk-assumption interest, providers will inevitably continue to operate in a market primarily driven by fee-for-service (FFS) payments, according to researchers. “But the path forward does not have to be an either-or scenario. Hospitals and health systems can drive revenue and margin growth in both FFS and value-based worlds through strategies focused on engaging physicians on clinical standardization, targeted cost of care reductions in areas such as post-acute care, and building tight provider network relationships,” the analysis suggested.
“The Affordable Care Act left many providers assuming that risk-based models would be the new normal, but the transition has not been as successful or widespread as anticipated,” Richard Bajner, Navigant managing director and healthcare value transformation practice leader, said in a statement. “With most health systems anticipating continued downward pressure on margins, accepting risk can represent a lever for revenue growth, as long as providers clarify internal accountabilities and commit enough of their resources to risk models. These results show the value-based movement may be coming full circle, and this time providers will benefit from previous experiences in designing their approach.”
Interoperability & HIE
Coalition Calls for ONC Proposal to be Rescinded
As stakeholder comments have poured in on ONC’s and CMS’ proposed interoperability rules, one group— Health Innovation Alliance (HIA)—is formally calling on ONC (the Office of the National Coordinator for Health IT) specifically to rescind its regulation.
The two proposals released in February—about 1,200 pages combined—look to further advance the nation’s healthcare interoperability progress. But the Health Innovation Alliance—formerly called Health IT now and representative of patient groups, providers, employers, insurers, and startup innovators—attests in a letter to federal officials that the information blocking exceptions to the ONC proposed rule are so vague that “they will produce a market worse than today’s status quo.” The coalition further explains that the rule extends beyond the scope of the 21st Century Cures Act and runs counter to Congressional intent by granting ONC unprecedented new regulatory authority.
According to federal officials, the proposed ONC rule implements the information blocking provisions of the 2016 Cures Act, which defined information blocking as interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information.
The new ONC rule proposes seven exceptions to the definition of information blocking. As it outlines, there are four specific healthcare “actors” regulated by the information blocking provision: providers, certified health IT developers, HIEs (health information exchanges) and HINs (health information networks). The seven proposed exceptions include: preventing harm; promoting the privacy of EHI; promoting the security of EHI; recovering costs reasonably incurred; responding to requests that are infeasible; licensing of interoperability elements on reasonable and non-discriminatory terms; and maintaining and improving health IT performance.
HIA specifically wrote in its letter to ONC, “The categories –security, privacy, etc. –may be appropriate, but the lack of clarity and specificity, and sweeping and broad exceptions are troubling. Because the exceptions are so broad, we are deeply concerned that many of these exceptions will become organizational policy and ingrained practices. As a result, information blocking will persist.”
Cybersecurity
KLAS, CHIME Release Report Showing Gaps, Gains in Cybersecurity Practices in Healthcare
As a press release published jointly by KLAS and CHIME noted, “Many organizations that participated in the CHIME HealthCare’s Most Wired program in 2018 reported they follow cybersecurity practices recommended by a federally convened task group of private and public cybersecurity leaders. The task group, called for in Section 405(d) of the Cybersecurity Act of 2015, published their recommendations in HICP (“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”) at the end of 2018.”
In that context, the press release noted, “HICP lists 10 overarching cybersecurity practices that the task group determined organizations of all sizes, from local clinics to large healthcare systems, should follow. These include email protection systems, endpoint protection systems, access management, data protection and loss prevention, network management, vulnerability management, incident response, medical device security and cybersecurity policies. An analysis of responses in the 2018 Most Wired survey was published as a CHIME-KLAS white paper, “How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices Guidelines?” The white paper reports that while many providers have adopted guidelines outlined in HICP, there was room for improvement, especially among smaller organizations.”
In preparing the report, KLAS and CHIME analyzed responses from the 600+ healthcare organizations that participated in the 2018 Healthcare’s Most Wired survey. The Most Wired survey is conducted annually by CHIME to benchmark and identify industry best practices. With support from Clearwater Compliance, CHIME collaborated with KLAS to produce the white paper that assesses the adoption of the task group’s recommendations for reducing and mitigating cybersecurity risks.
Though that survey and the HICP guidelines do not overlap in every regard, this white paper explores adoption of those HICP guidelines that were measured by the Most Wired survey. This analysis was augmented by provider commentary and data collected by KLAS via other research efforts.
Among the key findings of the Most Wired survey:
• Regardless of size, most organizations have deployed email and endpoint protection systems, establishing an initial layer of defense against internal and external threats.
• Many organizations are transitioning from homegrown identity and access management (IAM) solutions to commercial solutions to support their identity policies. Multifactor authentication (MFA) remains a gap for half of small organizations.
• Data-loss prevention (DLP) solutions have been widely adopted, though deployment of on-premises DLP solutions has slowed, as organizations have transitioned to the cloud.
• Today’s security requirements are challenging historical asset management practices.
• Most organizations have network access control (NAC) solutions to monitor devices that connect to their networks; however, less than half of small organizations are using network segmentation to control the spread of infections.
• Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Small organizations more frequently turn to penetration testing to identify vulnerabilities.
“CHIME’s goal with Most Wired is to improve patient safety and outcomes around the world by identifying best practices and sharing that knowledge across our industry,” said Russell Branzell, CHIME’s president and CEO, in a statement in the press release. “Working with KLAS, we are able to use this amazing resource to benchmark the current state of the industry and highlight strengths and gaps. HICP provides a perfect opportunity to see how far we have progressed and where we need to go in cybersecurity.”
“This report is a wake-up call and road map to identifying cybersecurity vulnerabilities for healthcare providers, and highlighting where specific progress needs to be made,” said Adam Gale, president of KLAS. “CHIME is playing a critical role in monitoring and promoting adoption of HICP recommendations.”
The CHIME-KLAS white paper further found that many organizations have an incident-response plan, but only half conduct an annual enterprise-wide exercise to test the plan. For medical device security, some large organizations report investing in supporting technologies while small organizations say they have strong internal processes. Small organizations are less likely to use cybersecurity policies, and small and medium organizations are four times less likely to have a CISO than large organizations.