Washington Debrief: CMS Finalizes MU Changes for Hospitals | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Washington Debrief: CMS Finalizes MU Changes for Hospitals

November 7, 2016
by Leslie Kriegstein, Vice President of Congressional Affairs, CHIME
| Reprints

Meaningful Use / MACRA

CMS Finalizes MU Changes for Hospitals

Key Takeaway: CMS finalizes 90-days for Meaningful Users for 2016 AND 2017

Why it Matters: CMS has heeded our call for extending the 90-day reporting period not only for 2016 but also for 2017 which they included in the final rule on hospital outpatient prospective payment system (OPPS).  We will continue to advocate aggressively for a 90-day period for 2018 and beyond.

CMS also finalized a number of changes for hospitals which will provide welcomed relief for hospitals in 2017, 2018 and beyond.  CMS published the final rule as we were in route to our Fall Forum so we look forward to digging our teeth into this and providing you with more details shortly.  We can tell you that a number of measures (i.e. CPOE and CDS) have been removed and that several measure thresholds have been substantially reduced.  These combined with the shorter reporting periods should provide some nice breathing space for hospitals. The CMS fact sheet on the final rule can be found here.


FDA Receives Letter from Lawmakers on Devices

Key Takeaway: Last week lawmakers expressed concern about medical device cybersecurity and the current capabilities of the Food and Drug Administration (FDA) to aid the industry in mitigating security vulnerabilities.

Why It Matters: Among the many cybersecurity threats facing the nation’s health IT leaders, medical device cybersecurity vulnerabilities have begun to make headlines and have caught the attention of lawmakers from the House Committee on Energy & Commerce. With the reauthorization of the Medical Device User Fee Amendments (MDUFA) set for Congressional approval before the start of FY18, lawmakers will take close look at how the FDA evaluates the safety and efficacy of medical devices.

Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sent a letter to FDA Commissioner Dr. Robert Califf and the Director of the Center for Devices and Radiological Health (CDRH) Dr. Jeffrey Shuren, requesting information by December 16th about how the FDA is assisting the industry in mitigating cybersecurity risks, educating providers and manufacturers and protecting patients.

The letter poses a number of questions to the FDA, including those listed below.

  • How is the FDA is working with medical device manufactures to ensure that known vulnerabilities to patients and/or entire health systems are mitigated and disclosed to all users? What efforts are currently underway to ensure that providers and patients are properly informed about known vulnerabilities among devices currently deployed for patient care?
  • Given the potentially long lifecycle of some devices, what is the FDA doing to ensure device security and patient privacy is accounted for throughout the prolonged use of devices despite the emergence of new threat vectors?
  • How is the Agency coordinating its cybersecurity initiatives with other agencies, both within the Department of Health and Human Services (HHS), and across the federal government, including the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC)?

FTC weighs in on HIPAA

Key Takeaway: Sharing consumer health information? FTC says look to HIPAA and the FTC Act

Why it Matters: FTC writes in a recent fact sheet, “Does your business collect and share consumer health information? When it comes to privacy, you’ve probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it’s not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC Act.”


OCR wades into information blocking

Key Takeaway: OCR recently published guidance instructing business associates that information blocking can constitute a HIPAA violation.

Why it Matters: Beyond the obvious reasons of why a business associate refusing a provider ongoing access to patient PHI following termination of a contract or a contract dispute is a problem, this is also an issue for patients. OCR has put their stake in ground by saying that vendors may not block access to patient information otherwise they risk violating HIPAA.  The guidance is posted in the form of an FAQ which can be found here.

NIST update

Key Takeaway: NIST spins up effort on infusion pump security and releases new workforce cyber tools.Bottom of Form


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More