Washington Debrief: Senate Bill Calls for Health-Specific Cyber Framework

Oct. 26, 2015
A provision included in the Cybersecurity Information Sharing Act or “CISA” directs the Department of Health and Human Services to work with the National Institute for Standards and Technology (NIST) and the Department of Homeland Security (DHS.)

Congressional Affairs:

Senate Bill Calls for Health-Specific Cyber Framework

Key Takeaway: A provision included in the Cybersecurity Information Sharing Act or “CISA” directs the Department of Health and Human Services to work with the National Institute for Standards and Technology (NIST) and the Department of Homeland Security (DHS.)

Why It Matters: CHIME and AEHIS members have called on Congress and HHS over the last few years to provide additional resources to the nation’s hospitals and health systems to assist them in improving their cyber readiness.  As an important piece of the nation’s critical infrastructure, it is vital that healthcare organizations have the tools and information they need to identify and more effectively defend against growing cyber threats.

An important first step to improving the nation's defenses is the ability to share cyber threat information in a trusted environment without risking patient confidence in our systems. The Cybersecurity Information Sharing Act (S.754), or CISA, would allow private entities to share threat information with the federal government for the betterment of the nation's overall security.

Further, Section 405 of the Manager’s Amendment contains provisions that are critical for ensuring the nation’s hospitals and health systems are better equipped with the resources they need to secure patient information. Just two weeks ago in a congressional briefing, CHIME members called on the federal government to work with healthcare stakeholders to develop industry-specific standards for protecting health information from cyber criminals.

Section 405 entitled, “Improving Cybersecurity in the Health Care Industry,” (beginning on page 101) has three major provisions:

  1. Requests a report to be submitted to Congress outlining what official within HHS is responsible for leading and coordinating efforts regarding cybersecurity
  2. The creation of a taskforce of healthcare industry stakeholders to analyze the unique nature of healthcare relative to cybersecurity
  3. Directs HHS to work with NIST, DHS, industry stakeholders to determine an appropriate single, voluntary framework that establishes a common set of security practices and standards that pertain to healthcare organizations, supports the voluntary adoption and implementation efforts to improve safeguards and is consistently updated and made applicable to the range of healthcare organizations.

CHIME is a member of the Protecting America' Cyber Networks Coalition and a supporter of the CISA legislation. We encourage you to use CHIME's Congressional Advocacy Portal to tell your senators today about the importance of being able to share cybersecurity threats across organizations. 

Leslie Kriegstein

House Bill would Eliminate Meaningful Use Penalties

Key Takeaways: The “Putting Patients and Providers Ahead of Compressed Regulatory Timelines Act of 2015” or “Meaningful Use Act” introduced last week, would eliminate meaningful use penalties and reimburse providers who have been subject to such penalties in 2015.

Why It Matters: Congressional interest in the meaningful use program continues to grow, as the latest legislative push from Representative Steve King (R-IA-04) would eliminate meaningful use penalties for hospitals and physicians.

In a statement accompanying the introduction of the bill, Rep. King said, “The significant and ongoing financial cost of compliance is a deal breaker for many providers who simply cannot handle the financial burden and risks associated with EHRs. The demands of this onerous program means fewer dollars for staff and supplies necessary to attend to patients.”

The legislation is cosponsored by Representatives Marsha Blackburn (R-TN-07) and Ryan Zinke (R-MT-AL).

Federal Affairs

Key Takeway:  Reminder!  CHIME is hosting two workgroup meetings on the CMS Merit-Based Incentive Payment System (MIPS) Request for Information (RFI) (see also notice on extended comment deadline that includes priority areas for consideration).  Workgroup calls will be held on Tuesday, October 27th and Tuesday, November 3rd both at 3pm ET.

Why it Matters:  The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) set participation in the MU as one of the four performance categories for the MIPS program. The RFI requests stakeholder feedback on how to account for a physician's participation in MU such as," Should the performance score for this category be based be based solely on full achievement of Meaningful Use?"  While MIPS has four performance categories of which MU is one, CMS has recently said that eligible hospitals (EPs) will not be able to benefit from any flexibility CMS offers (to the degree that they do) under MIPS around removing the pass/fail construct of the MU program as MIPS only applies to EPs.   CHIME will continue to advocate to CMS to remove the pass / fail approach for all providers.

CMS Issues FAQ on MU Public Health Reporting Objective

Key Takeaway: The Centers for Medicare and Medicaid Services (CMS) recently posted an updated Frequently Asked Question (FAQ) on meeting the Public Health Reporting objective offering more flexibility for providers to meet it.

Why it Matters:  CMS has asserted on numerous occasions that what providers will be required to do to meet MU in 2015 should not exceed any requirements that were previously in place.  Providers were counting on this to be the case and were surprised to see some additional requirements within the Public Health Measure not previously mandated.  CMS updated a FAQ 12985 to reflect some additional guidance that could help more providers successfully meet the objective.  Specifically, the final rule only listed an alternate exclusion for EPs in Stage 1.  The updated FAQ however, lists additional ones and CMS notes, “We do not intend to inadvertently penalize providers for their inability to meet measures that were not required under the previous stages of meaningful use. Nor did we intend to require providers to engage in new activities during 2015, which may not be feasible after the publication of the final rule in order to successfully demonstrate meaningful use in 2015.”

We have already received some inquiries about this updated FAQ.  We are in the process of seeking clarification and will share what we learn from CMS.  For instance, one member asked whether Stage 1 hospitals are required to register in 2015.  If so, this would represent a new requirement.  Please send any and all questions on meaningful use our way to [email protected].  We will do our best to seek clarity for our members.