Congressional Efforts Renewed for a 90-day Reporting Period in 2016
Key Takeaway: Last week bills were introduced into both the House and Senate to direct the Centers for Medicare and Medicaid Services (CMS) to institute a 90-day reporting period for Meaningful Use program participants for 2016.
Why It Matters: The bipartisan, bicameral backing for a 90-day reporting period illustrates clear support for sensible changes to the Meaningful Use program and will help hundreds of thousands of providers be successful in 2016, a year of transition particularly for EPs as they move into either the Merit-based Incentive Payment System or an Alternative Payment Model starting January 1, 2017. Further, a 90-day reporting period would offer welcomed flexibility to the program's participants, especially as the provider community awaits other potential changes that have been signaled by CMS Acting Administrator Andy Slavitt.
Rep. Renee Ellmers (R-NC) is the sponsor of the House bill (HR 5001), with bipartisan support from Ron Kind (D-WI), Tom Price (R-GA), Bobby Rush (D-IL), Marsha Blackburn (R-TN) and Doris Matsui (D-CA). In the Senate, the bill (S. 2822) was sponsored by Sen. Rob Portman (R-OH) and Michael Bennet (D-CO). This important legislation would give eligible providers and eligible hospitals the option to choose any three-month quarter for EHR reporting in 2016.
Physician Groups Speak to MACRA Readiness Efforts in House Hearing
Key Takeaway: Representatives from four physician groups offered optimism during a congressional hearing last week examining the provider community’s efforts to prepare for the January 1, 2017 transition to the Merit-based Incentive Payment System (MIPS) or an Alternative Payment Model (APM) for Medicare reimbursement established under the Medicare Access and CHIP Reauthorization Act (MACRA).
Why It Matters: The House Committee on Energy & Commerce hosted its second hearing in two months to examine the forthcoming implementation of the Medicare Access and CHIP Reauthorization Act or MACRA, which was signed into law in April 2015. The draft rules outlining what Medicare physicians must do to participate in MIPS or an APM remain under review at the Office of Management and Budget (OMB).
Vowing continued oversight, the Committee heard from witnesses from the American Medical Association, American College of Physicians, American Academy of Family Physicians and the American Medical Group Association on their efforts to prepare their membership for the transition to MACRA policies.
CMS Releases IPPS Draft Rule, Includes Mandatory Full-Year eCQM Reporting in 2017
Key Takeaway: Hospitals that fail to meet the requirements of the Meaningful Use program in 2017 will be subject to a greater penalty as stated in the Medicare Inpatient Prospective Payment System (IPPS) proposed rule informally released last week.
Why It Matters: The Centers for Medicare and Medicaid Services (CMS) has proposed that acute-care hospitals that don't meet requirements of the meaningful use program in fiscal year 2017 will be subject to a 75 percent reduction in their market basket update, up from a 50 percent reduction for 2016. The proposed change to the penalty is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which established the Meaningful Use program in 2009.
In addition to the proposed market basket reduction increase, CMS also proposed to mandate the electronic reporting of 15 clinical quality measures for 365 days using their electronic health record (EHR) in 2017. The proposed rule suggests eliminating 13 of the 28 electronic clinical quality measures (eCQM) from the hospital Inpatient Quality Reporting (IQR) program and the Meaningful Use program. The majority of the measures that are expected to be eliminated are those considered to be “topped out”, meaning hospitals have already met the highest thresholds for performance.
The proposed rule did not contain any obvious changes to the Meaningful Use program for the 2016 program year, or future program years beyond the number of eCQMs to be reported.
The proposed rule will be formally published in the Federal Register on April 27th.
HHS Cybersecurity Task Force Has First In-Person Meeting
Key Takeaway: The healthcare industry cybersecurity task force mandated by the Cybersecurity Information Sharing Act of 2015, which was signed into law last December, held their first in-person meeting last week.
Why It Matters: The cross-industry task force, which includes two CHIME Board Members, Theresa Meadows, Senior Vice President and Chief Information Officer at Cook Children’s Health Care System (the task force’s co-chair) and David Finn, Health Information Technology Officer at Symantec Corp., has a directive to prepare recommendations for improving the cybersecurity across the healthcare sector.
The task force, in coordination with Department of Health and Human Services (HHS), the Department of Homeland Security (DHS) and the National Institute for Standards and Technology (NIST) was given the following specific directives in the law:
- Analyze how other industries have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
- Analyze challenges and barriers private entities (excluding state and federal governments) in the healthcare industry face securing themselves against cyber-attacks.
- Review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record (EHR)
- Provide HHS with information to disseminate to healthcare industry stakeholders of all sizes for purposes of improving their preparedness for and response to cybersecurity threats affecting the industry
- Establish a plan for implementing cyber threat information sharing so that the Federal Government and healthcare industry stakeholders may in real time share actionable cyber threat indicators and defensive measures
The task force will meet in-person in July, September and December with monthly teleconferences. After the task force has completed their analysis, the HHS must distribute the recommendations to the healthcare industry to improve their preparedness and response to cybersecurity threats.
CHIME/AEHIS Submit Comments on Medical Device Cybersecurity
Key Takeaway: Last week CHIME and AEHIS submitted comments to the Food and Drug Administration (FDA) offering feedback on postmarket management of cybersecurity of medical devices.
Why It Matters: Medical device security has been a growing source of concern for CIOs and CISOs alike, meanwhile the Administration and Congress have slowly started to express interest in the subject.
The comments, submitted last Thursday, were in response to draft guidance “Postmarket Management of Cybersecurity in Medical Devices” released by the FDA earlier this year. The CHIME/AEHIS comments suggested “an increased and formalized collaboration between the medical device manufacturers and HDOs [healthcare delivery organizations] is critical.”
Further, the joint comments suggested the manufactures should be expected to configure their devices to the industry’s accepted security standard that accounts for basic principles of cybersecurity controls to allievate risk. The CHIME/AEHIS comments also called for a standardized risk framework to be employed by manufacturers.
Notably, Representative Jim Langevin (D-RI), co-chair of the House Cybersecurity Caucus, penned a response to the proposed guidance. Rep. Langevin’s comments supported a risk-based approach to security to match the constant shifting of the threat landscape, citing, “Rather than outline specific controls, which would rapidly become obsolete, the guidance suggests processes, such as monitoring cybersecurity information sources,that are tied to a holistic model of risk.”
Further, the Congressman highlighted the important responsibility the FDA holds to ensure that manufacturers are properly complying with the proposed mitigation methods or are properly reporting cybersecurity risks. He also calls on the FDA to strengthen their partnerships with private industry.
Representative Langevin isn’t the first member of Congress to express concern about the current state of medical device security. Senate Barbara Boxer (D-CA) authored a letter directly to the device manufacturers inquiring about their efforts to improve medical device security against the growing threat landscape.