CMS Intends Delay for Stage 3 of Meaningful Use; Timelines, Penalties Remain for 2014
Key Takeaways:
- CMS will look to push the start of Stage 3 Meaningful Use to 2017 for providers who began MU in 2011, 2012 and 2013.
- The Stage 3 delay will not change any requirements for providers in 2014; all providers must use 2014 Edition CEHRT; all hospitals must be MU-ready by July 1, and all EPs must be MU-ready by October 1.
Next Steps: CHIME will continue to push for flexibility in 2014 for all providers; members are encouraged to share their MU story with CMS officials and Public Policy staff in Washington.
In a pair of blog announcements last week, CMS and ONC said they intend to initiate rulemaking that would delay the beginning of Stage 3 Meaningful Use from 2016 to 2017. However, the move does not change any requirements or deadlines for Meaningful Use in 2014, CMS confirmed. In an effort to stem misinformation contained in health IT trade publications, CHIME issued an announcement to clarify for members what the announcement said and did not say. “Hospitals still have to be Meaningful Use-ready by July 1, 2014, and physicians have to be ready by Oct. 1, 2014,” said CHIME President and CEO Russ Branzell. “While this announcement will benefit the program in 2017, it does nothing to address providers’ concerns today. Flexibility in 2017 will not matter if the program does not survive 2014.”
While CHIME believes that the federal agency’s announcement Friday gives vendors and policy makers flexibility to ensure the outcomes sought in Stage 3 are realized, it’s disappointed that the changes do not provide the flexibility for providers requested in previous recommendations. CHIME strongly urged CMS to consider previous recommendations to give EHs and EPs flexibility in meeting the start date of Stage 2. CHIME reiterated its belief that some providers will need an additional year to install, test, implement and operationalize the new certified EHR software.
SGR Repeal: 3 month Patch and Permanent Fix Efforts
Key Takeaway: Washington moves one step closer to a permanent “doc fix” that repeals the Sustainable Growth Rate (SGR) approach and replaces it with a permanent Medicare physician payment structure that includes bonuses for providing quality care and using health information technology.
While Congress continues to negotiate a permanent fix, a three month SGR patch (ending March 31) that generally maintains the status quo has been attached to the budget deal passed by the House last week. This patch includes a 0.5% increase in payments each year for three years for surgeons.
Payment reform is one of the main focuses for SGR repeal legislation. As previously reported, Medicare payment would be frozen for 10 years with incentives for physicians that successfully participate in existing Medicare programs, including Meaningful Use, the Physician Quality Reporting System and the value-based modifier. The goals of the bonus payments include reducing waste in the healthcare system and therefore reducing healthcare costs, and providing better quality care for Medicare patients. Penalties also will be used to cut reimbursement for physicians that don’t meet certain quality thresholds. Changes to long-term care are also expected as noted in this article. To prevent a 24% cut in reimbursement, Congress must take some action before December 31.
CMS Tip Sheet Offers Guidance on Security Risk Assessments
Key Takeaway: The Centers for Medicare & Medicaid Services recently released a “tip sheet” on conducting a security risk assessment (SRA), which is required under both HIPAA and Meaningful Use.
According to the document, eligible professionals (EPs) and eligible hospitals (EHs) must conduct a security risk analysis in both Stage 1 and Stage 2 of Meaningful Use. For Stage 1, EPs and EHs “must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” In Stage 2, EPs and EHs need to meet the same security risk analysis requirements as Stage 1, but also must address the encryption/security of data at rest. The SRA “tip sheet” includes “Security Areas to Consider,” “Examples of Potential Security Measures” and “Security Risk Analysis Myths and Facts.” The document contains hyperlinks to outside references and other guides produced by HHS.
CHIME earlier this year held a webinar with CMS officials to discuss Meaningful Use Audits, and security risk assessments played a big part of the ensuing question and answer session. You can access an archive of the webinar at the link above.
CHIME Responds to Federal Cybersecurity Plan, Calls for Flexibility
Key Takeaway: CHIME applauded a proposed federal framework for cybersecurity, urged flexibility for providers in implementing the final version and cautioned against costly compliance requirements.
Next Steps: A final version of the cybersecurity framework is due in early 2014. Further discussions of how the healthcare sector will use the framework are expected.
In comments submitted to the National Institute for Standards & Technology (NIST) on a proposed federal framework for cybersecurity, CHIME asked government officials to consider a number of unique issues related to healthcare and issued the following recommendations when developing the final framework:
- Future iterations of the framework should consider the inclusion of a risk counterfactual, or a way to determine what the risk of inaction is likely to be.
- All federal agencies engaged in the regulation of healthcare should use a compatible instantiation of this framework for risk identification, assessment and management.
- Federal regulatory bodies should not use the cybersecurity framework to impose more cost and administrative burden on providers.
- Further, regulators should identify ways to help support under-resourced providers meet new requirements.
- Federal officials should be encouraged to develop a toolkit application that would assist organizations to better understand implementation of the framework into their environments.
CHIME’s public comments to NIST’s Preliminary Cybersecurity Framework can be accessed here.
Edited for format by Gabriel Perna
