Washington Debrief: Senate Committee Releases Bipartisan Health IT Legislation

Jan. 25, 2016
The 68-page draft bill released by the Senate Health, Education, Labor and Pensions (HELP) Committee featured references to key CHIME issues including: patient matching, standards harmonization and reducing the administrative burdens caused by electronic health records (EHRs).

Congressional Affairs

Senate Committee Releases Bipartisan Health IT Legislation

Key Takeaway: The 68-page draft bill released by the Senate Health, Education, Labor and Pensions (HELP) Committee featured references to key CHIME issues including: patient matching, standards harmonization and reducing the administrative burdens caused by electronic health records (EHRs).

Why It Matters: Last week the HELP Committee released the long-awaited work product of their six Committee hearings on health IT and EHRs. The Committee hopes the legislation will spur interoperability, enable innovation and improve usability of health IT products for providers and patients.

Only resembling key themes of the interoperability-focused provision of the House-passed 21st Century Cures Act, the Senate HELP Committee’s stand-alone health IT bill, which will accompany a number of biomedical innovation bills, focuses on seven key topics:

  1. Assisting Doctors and Hospitals in Improving Quality of Care for Patients
  2. Transparent Ratings on Usability and Security to Transform Information Technology (TRUST IT)
  3. Information Blocking
  4. Interoperability
  5. Leveraging Health Information Technology to Improve Patient Care
  6. Empowering Patients and Improving Patient Access to Their Electronic Health Information
  7. Encouraging Trust Relationships for Certified Electronic Health Records (EHR)
  8. GAO Study on Patient Matching

Of interest to CHIME, the bill would direct the Government Accountability Office to conduct a study on patient matching. In particular, it asks GAO to evaluate current methods for patient matching and to determine if the Office of the National Coordinator for Health Information Technology could take steps to improve patient matching. While we would prefer a national identification solution, this important step signifies Congress’ recognition and willingness to address the important of linking patients to their healthcare data.

CHIME submitted comments to the Committee to inform the development of this draft legislation last July and will again submit comments to Committee this week.

Comments on the draft legislation are due on Friday, January 29, 2016. Committee Chairman Lamar Alexander (R-TN) announced the Committee would review the bill during an executive session on February 9, 2016.

Federal Affairs

2015 Program Year Meaningful Hardship Application Released

Key Takeway: CMS Releases New Hardship Application for the 2015 Program Year – first filing deadline is March 15, 2016

Why it Matters: Last week, CMS released the hardship applicatiosn which providers (EPs and EHs) can use to avoid a penalty under Meaningful Use for the 2015 Program Year.  The revised applications are required under the Patient Access and Medicare Protection Act (PAMPA) which was signed into law at the end of 2015. In the past eligible hospitals and eligible professionals have had separate application forms, however, the new application can be used by both physicians and hospitals.  Critical Access Hospitals (CAHs) have their own application (CAHs that have already submitted a form for 2015 are not required to resubmit).  The new applications and instructions are to avoid a penalty in 2017 for the 2015 reporting year. Instructions for completing the applications can be found here.  More information can also be found on the CMS website.

Under the new applications CMS permits providers to file as individuals or as groups.  Prior to the new law, each provider had to submit a separate application. There are several deadlines providers should be aware of (and also while not mentioned below the law allows providers to apply on a case by case basis as late as :

  • March 15, 2016:
    • An application including only eligible professionals (EPs) must meet the EP deadline on March 15,2016
    • An application including EPs and eligible hospitals must meet the EP deadline on March 15, 2016.
  • April 1, 2016: An application including only eligible hospitals / CAHs must meet the deadline of April 1, 2016.

CHIME is in the process of seeking clarification on the new application, particularly Section 2.2.d, “EHR Certification/Vendor Issues (CEHRT Issues),” as it is our understanding based upon communications with CMS that the description of the category where it reads, “or issues related to insufficient time to make changes to the CEHRT to meet,” is intended to capture scenarios that precluded a provider from meeting Meaningful Use as a result of the change in rules that moved the reporting period in 2015 from a full year to 90 days rendering the ability of vendors to modify dashboards in time to comply with the last 90 days of the year, impossible. 

We urge all providers who question if they will be able to successfully attest for 2015 program requirements to apply for hardship and to retain any documentation related to the filing process and justification for choosing a particular hardship category.

CMS and ONC Clarify - Meaningful Use Will Continue

Key Takeaway:  CMS and ONC further clarifies future of Meaningful Use Program after comments made concerning forthcoming program changes two weeks ago by Acting Administrator Andy Slavitt.

Why it Matters: Following comments made by Acting Administrator Slavitt during a speech earlier this month where he suggested significant changes are instore for the Meaningful Use program, CMS and ONC clarified the direction of the program in a recent CMS blog post.  In the blog CMS Acting Administrator Slavitt and HHS Acting Assistant Secretary Karen DeSalvo discuss how the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) provides a “significant opportunity to transition the Medicare EHR Incentive Program for physicians towards the reality of where we want to go next.” They go onto note this work will be guided by four principles: 1) rewarding providers for outcomes; 2) allowing providers to customize their IT; 3) leveling the technology playing field to promote innovation; 4) prioritizing interoperability. To put this into greater context for physicians and hospitals they state:

“The current law requires that we continue to measure the meaningful use of ONC Certified Health Information Technology under the existing set of standards. While MACRA provides an opportunity to adjust payment incentives associated with EHR incentives in concert with the principles we outlined here, it does not eliminate it, nor will it instantly eliminate all the tensions of the current system. But we will continue to listen and learn and make improvements based on what happens on the front line.

The MACRA legislation only addresses Medicare physician and clinician payment adjustments. The EHR incentive programs for Medicaid and Medicare hospitals have a different set of statutory requirements. We will continue to explore ways to align with principles we outlined above as much as possible for hospitals and the Medicaid program.

The approach to meaningful use under MACRA won’t happen overnight. Our goal in communicating our principles now is to give everyone time to plan for what’s next and to continue to give us input. We encourage you to look for the MACRA regulations this year; in the meantime, our existing regulations – including meaningful use Stage 3 – are still in effect.”

CHIME will continue to advocate for the need to create a more flexible Meaningful Use program from hospitals as MACRA only addresses physicians.

FDA Hosts Cyber Conference on Devices and Seeks Input on Draft Guidance

Key Takeaway: FDA seeks input on securing devices from cyber threats

Why it Matters: Growing amounts of patient information being stored and moved electronically, combined with the added value placed on patient’s health care information, opens the door to new cyber threats.  The FDA has recognized this and following the two-day meeting they hosted on January 20-21 to address this topic.

They also published draft guidance, ‘‘Postmarket Management of Cybersecurity in Medical Devices’’ and posted a notice in the Federal Register and are seeking input by April 21.  The draft guidance informs industry of the Agency’s recommendations for identifying, addressing, and monitoring cybersecurity vulnerabilities and exploits for postmarket management of medical devices. This draft guidance is neither final nor is it in effect at this time.  In the guidance the FDA notes:

A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health…This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.

They further note that manufacturers should respond in a timely fashion to address identified vulnerabilities. Critical components of such a program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.