Skip to content Skip to navigation

Washington Debrief: House Members Weigh In on Forthcoming OCR Ransomware Guidance

July 5, 2016
by Leslie Kriegstein, Vice President of Congressional Affairs, CHIME
| Reprints

Congressional Affairs

House Members Weigh In on Forthcoming OCR Ransomware Guidance

Key Takeaway: In front of expected guidance from the Office for Civil Rights (OCR) concerning the treatment of ransomware incidences in the healthcare sector, two members of the House Committee on Oversight and Government Reform shared their expectations for the guidance in a letter sent last week.

Why It Matters: Ransomware has been the subject of congressional hearings this year, and has grabbed headlines across the country. Given the prevalence of such instances, especially within healthcare, senior officials at OCR announced their intention to release guidance on ways to combat the ransomware threats, with a focus on contingency plans and attack prevention.

Representative Will Hurd (R-TX-23), the chairman of the Information Technology subcommittee of the House Committee on Oversight and Government Reform, and Representative Ted Lieu (D-CA-33), a vocal member in the minority ranks of the Committee, wrote to OCR last week offering suggestions on the forthcoming ransomware guidance.

The letter suggests the Office of Civil Rights to treat ransomware attacks as breaches under Health Information Technology for Economic and Clinical Health (HITECH) regulations and encourages regulators to require that healthcare institutions notify patients when denial of access to health records and/or healthcare services could negatively impact patient care. The lawmakers also recommend that information concerning the attack be sharing with the federal government and information sharing organizations.

While the industry awaits the ransomware guidance from OCR, last month HHS, in coordination with a number of federal agencies including the Department of Justice (DOJ) and Department of Homeland Security (DHS), sent a set of technical recommendations aimed at CIOs intended to share best practices and mitigation strategies relating to ransomware incidences.

Finance Committee Chairman Releases White Paper on Stark Laws

Key Takeaway: Stark laws and their impact on healthcare provider participation in alternative payment models were subject of white paper released last week by the Chairman of the Senate Committee on Finance.

Why It Matters: Healthcare stakeholders have cited the need to modernize the Stark Law as the nation pursues coordinated care as a means to improve quality and reduce costs. The Stark law, which prohibits a physician from referring Medicare patients to an entity with which a financial relationship exists, can impact electronic health record (EHR) access to affiliated providers and hospitals.

One IT example cited in the white paper released by Senator Orrin Hatch (R-UT), concerns physician participation in an Accountable Care Organization (ACO), which includes access to the same EHR system as the remainder of the network. Uncertainty arises if the physician leaves the ACO, would the physician be subject to Stark liability. The report cites this example as a potential impediment for physicians to participate in Alternative Payment Models (APMs.)

Federal Affairs

MACRA Comments

Key Takeaway: CHIME submits comments on MACRA/MIPS/APMs and signs onto a multi-stakeholder letter promoting telehealth.  Think the rule doesn’t apply to hospitals?  It does - keep reading.

Why it Matters: The MACRA comment deadline has finally come and gone.  Now comes the waiting game. CMS is required under the law to finalize the rules for MIPS and APMs by November 1, 2016. 

Start Date

Many commenters, including CHIME, expressed concerns with the start date.  The law says MIPS must begin on or after January 1, 2019.  CMS proposed that the calendar year of 2017 be the year upon which the payments for 2019 would be based – otherwise known as the reporting year.  The challenge, however, is that this leaves 60 days for vendors and providers to prepare for the new system.


Wondering how the MIPS/APM rule impacts hospitals?  As a preliminary matter, hospital CIOs need to know that MACRA requires both clinicians and hospitals demonstrate they are not data blockers.  The law specifically calls for them to: