Key Takeaway: Last week the Department of Homeland Security (DHS) released guidance to assist private sector and federal entities to share cyber threat indicators with the Federal Government.
Why It Matters: The release of guidance and interim policies relating to the sharing of cyber threat indicators (CTIs) with the federal government was the first significant deliverable from the passage of the Cybersecurity legislation that was enacted into law in late 2015.
President Obama signed the Cybersecurity Information Sharing Act of 2015 into law on December 28, 2015, with the goal of increasing cybersecurity information sharing between the private sector and the Federal Government. The Act provides various protections to non-federal entities that share CTIs defensive measures with the Federal Government.
The Department’s Automated Indicator Sharing (AIS) initiative, through the National Cybersecurity and Communications Integration Center (NCCIC) is the principal vehicle for sharing indicators with the Federal Government. Threats shared with the Department through AIS or other official DHS mechanisms, conducted according with the Act’s requirements receives liability protection.
In addition to the guidance released to assist private sector and federal entities to share CTIs with the Federal Government, the Department also released interim policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, interim guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession.
The first round of deliverables from the healthcare-specific section of the Cybersecurity law are due from the Department of Health and Human Services (HHS) by March 17, 2016. This includes the establishment of a taskforce of healthcare industry stakeholders tasked with outlining the unique challenges, opportunities and needs of the healthcare sector as it related to cybersecurity.
The Administration also announced the formation of commission on improving cybersecurity, chaired by Tom Donilon, former National Security advisor, and Sam Palmisano, former IBM CEO.
Quality Measure Alignment Drumbeat Bears Some Fruits from CMS in a New Effort
Key Takeaways: CMS Announces new alignment effort following repeated calls to harmonize quality measures
Why it Matters: CHIME has repeatedly comment to CMS that the need for standards harmonization is critical not only from the standpoint of reducing administrative burden and complexity for providers, but in order to deliver on the intended value for patients. CHIME advocated again for this in our comments to CMS on their Request for Information on quality measurement as among our top 3 recommendations which include:
- Reduce the burden on providers by better aligning the reporting requirements of different payers and government programs.
- Require vendors to certify to all electronic clinical quality measures (eCQMs).
- Improve the testing process to be more reflective of real-life clinical scenarios, rather than sterile testing environments
In response to repeated calls for more measure alignment, CMS recently announced that in conjunction with America’s Health Insurance Plans (AHIP) and others in the industry they have arrived at consensus on measuring physician quality in seven areas through an effort known as the Core Quality Measures Collaborative. The seven areas include: accountable care organizations (ACOs), patient centered medical homes (PCMH), and primary care; cardiology; gastroenterology; HIV and Hepatitis C; medical oncology; obstetrics and gynecology; and orthopedics. CMS is already using measures from the each of the core sets. Using the notice and public comment rule-making process, CMS also intends to implement new core measures across applicable Medicare quality programs as appropriate, while eliminating redundant measures that are not part of the core set.
OCR Pumps out New, Clarifying Guidance on HIPAA
Key Takeaways: New OCR guidance takes aim at clarifying existing rules
Why it Matters: In a series of blog posts, the Office for Civil Rights (OCR) is releasing a series of guidance documents intended to provide greater clarity around HIPAA privacy and security rules. To date they have published three of the four blogs with different guidance / fact sheets. Notably, OCR states those covered entities disclosing PHI are not liable for what the receiver does with the information so long as the information was disclosed in the proper manner.
Blog Posts:
- Blog Post #1 – The Real HIPAA Supports Interoperability
- Blog Post #2 - The Real HIPAA: Permitted Uses and Disclosures
- Blog Post #3 - The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples
- Blog Post #4 - Quality Assessment/Quality Improvement and Population-Based Activities Examples – Coming 2/25
Fact Sheets:
- Permitted Uses and Disclosures: Exchange for Health Care Operations
- Permitted Uses and Disclosures: Exchange for Treatment
OCR also recently released guidance aimed at health ap use. OCR provides some nice, plain English examples of when a developer is indeed acting as a business associate of a provider and when they are not.
Meaningful Use Deadline Update
Key Takeaway: CMS Extends the Meaningful Use Attestation Deadline for the EHR Incentive Programs to March 11, 2016
Why it Matters: The Centers for Medicare & Medicaid Services (CMS) extended the attestation deadline for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to Friday, March 11, 2016 at 11:59 p.m. ET, from the original deadline of Monday, February 29. Visit the Registration and Attestation the 2015 Program Requirements pages on the CMS EHR Incentive Programs website.