Cybersecurity Information Sharing Grants Available from HHS
Key Takeaway: Two grants have been made available by the Department of Health and Human Services (HHS) to improve information sharing on cybersecurity threats within the Healthcare and Public Health (HPH) Sector.
Why it Matters: Two divisions of HHS, the Office of the National Coordinator (ONC) and the Assistant Secretary for Preparedness and Response (ASPR), have announced grant opportunities to further cybersecurity information sharing efforts. HHS hopes these opportunities will facilitate the sharing of cybersecurity threats identified in the HPH Sector with relevant stakeholders in the industry as well as federal partners, including the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The Funding Opportunity Announcements released by ONC and ASPR can be renewed for up to five years and call for an existing ISAO or Information Sharing and Analysis Center (ISAC) to:
- Provide cybersecurity information and education on cyber threats affecting the (HPH) Sector
- Expand outreach and educational activities to assure that information about cybersecurity awareness is available to the entire HPH Sector
- Equip stakeholders to take action in response to cyber threat information
- Facilitate information sharing widely within the HPH Sector, regardless of the size of the organization
Details are outlined below:
- ONC grant:
- Applications due: August 19
- Grant amount: $250,000
- Eligible to apply: Among the types of entities that can apply are public and private non-profits and entities already providing outreach and technical assistance to participating organizations on cyber threats
- ASPR grant:
- Applications are due: August 25
- Grant amount: $150,000
- Eligible to apply: Nonprofits with a 501(c)(3) status other than higher education institutions
CMS Announces Cardiac Bundling Program – Contains IT Requirements
Key Takeaway: CMS has published a proposed regulation on bundling cardiac care.
Why it Matters: CMS’ recently published rule proposes to implement three new Medicare Parts A and B episode payment models targeting care for Medicare fee-for-service beneficiaries receiving services during acute myocardial infarction, coronary artery bypass graft and surgical hip/femur fracture treatment episodes. All related care within 90 days of hospital discharge will be included in the episode of care. This program would apply to care beneficiaries receiving care in acute care hospitals in certain selected geographic areas.
Pursuant to the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), there are two pathways for physicians to be reimbursed beginning in 2019; the Merit-Based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (APMs). CMS has proposed that in order for episode payment models (EPMs) to meet the criteria to be Advanced APMs, EPM participants would have to use Certified Electronic Health Record Technology (CEHRT) and meet financial risk requirements to be in Track 1 of each EPM. CMS has also proposed that those in EPMs who are not using CEHRT would be in Track 2 and thus not qualify for being an Advanced APM. CMS has proposed similar requirements for the Comprehensive Care for Joint Replacement (CJR).
OIG Report Details EHR Downtime
Key Takeaway: The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has published a new report, “Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans,” examining the downtime of electronic health record (EHR) systems.
Why it Matters: Federal agencies and Congress continue to evaluate potential impacts on patient safety resulting from EHR downtime, whether it result from internal hardware disruptions or cyberattacks. Most recently OIG published a report which they described doing because, “Disruptions, such as natural disasters or technical malfunctions, can make electronic health records (EHRs) unavailable to hospital staff. Prior OIG work found, for example, that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. More recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs.”
In studying the issue, OIG found that almost all hospitals have written EHR contingency plans and that approximately two-thirds said they addressed the four Health Insurance Portability and Accountability Act (HIPAA) requirements reviewed by the OIG, including: a data back-up plan, a disaster recovery plan, an emergency-mode operations plan and testing and revision procedures.
OIG concluded that the growth and evolution of threats to digital health information validates the need for EHR contingency plans. Further, OIG reinforced their prior recommendation that the Office for Civil Rights (OCR) implement a permanent audit program for HIPAA compliance.