House Members Weigh In on Forthcoming OCR Ransomware Guidance
Key Takeaway: In front of expected guidance from the Office for Civil Rights (OCR) concerning the treatment of ransomware incidences in the healthcare sector, two members of the House Committee on Oversight and Government Reform shared their expectations for the guidance in a letter sent last week.
Why It Matters: Ransomware has been the subject of congressional hearings this year, and has grabbed headlines across the country. Given the prevalence of such instances, especially within healthcare, senior officials at OCR announced their intention to release guidance on ways to combat the ransomware threats, with a focus on contingency plans and attack prevention.
Representative Will Hurd (R-TX-23), the chairman of the Information Technology subcommittee of the House Committee on Oversight and Government Reform, and Representative Ted Lieu (D-CA-33), a vocal member in the minority ranks of the Committee, wrote to OCR last week offering suggestions on the forthcoming ransomware guidance.
The letter suggests the Office of Civil Rights to treat ransomware attacks as breaches under Health Information Technology for Economic and Clinical Health (HITECH) regulations and encourages regulators to require that healthcare institutions notify patients when denial of access to health records and/or healthcare services could negatively impact patient care. The lawmakers also recommend that information concerning the attack be sharing with the federal government and information sharing organizations.
While the industry awaits the ransomware guidance from OCR, last month HHS, in coordination with a number of federal agencies including the Department of Justice (DOJ) and Department of Homeland Security (DHS), sent a set of technical recommendations aimed at CIOs intended to share best practices and mitigation strategies relating to ransomware incidences.
Finance Committee Chairman Releases White Paper on Stark Laws
Key Takeaway: Stark laws and their impact on healthcare provider participation in alternative payment models were subject of white paper released last week by the Chairman of the Senate Committee on Finance.
Why It Matters: Healthcare stakeholders have cited the need to modernize the Stark Law as the nation pursues coordinated care as a means to improve quality and reduce costs. The Stark law, which prohibits a physician from referring Medicare patients to an entity with which a financial relationship exists, can impact electronic health record (EHR) access to affiliated providers and hospitals.
One IT example cited in the white paper released by Senator Orrin Hatch (R-UT), concerns physician participation in an Accountable Care Organization (ACO), which includes access to the same EHR system as the remainder of the network. Uncertainty arises if the physician leaves the ACO, would the physician be subject to Stark liability. The report cites this example as a potential impediment for physicians to participate in Alternative Payment Models (APMs.)
Why it Matters: The MACRA comment deadline has finally come and gone. Now comes the waiting game. CMS is required under the law to finalize the rules for MIPS and APMs by November 1, 2016.
Many commenters, including CHIME, expressed concerns with the start date. The law says MIPS must begin on or after January 1, 2019. CMS proposed that the calendar year of 2017 be the year upon which the payments for 2019 would be based – otherwise known as the reporting year. The challenge, however, is that this leaves 60 days for vendors and providers to prepare for the new system.
Wondering how the MIPS/APM rule impacts hospitals? As a preliminary matter, hospital CIOs need to know that MACRA requires both clinicians and hospitals demonstrate they are not data blockers. The law specifically calls for them to:
demonstrates (through a process specified by the Secretary, such as the use of an attestation) that (they have) not knowingly and willfully taken action (such as to disable functionality) to limit or restrict the compatibility or interoperability of the certified EHR technology.
The law actually makes this requirement effective one year after the law was passed – this is April 2016. CHIME commented on this as well in our letter, as the requirements hospitals must meet in some cases were an overreach beyond what the law called for. This, among other items, will be of interest to hospital CIOs:
- Data blocking: CMS has proposed hospitals and clinicians would need to attest as part of their attestation statement for the 2016 reporting year that they were not data blockers. Prepare to substantiate you did not block data.
- CEHRT surveillance: CMS also proposed that hospitals and clinicians would have to attest they have cooperated in good faith with ONC surveillance efforts around CEHRT intended to make sure products are performing as intended.
- Vendors: If you have clinicians who are affected by MIPS, call your vendors and find out when they plan on delivering 2015 Edition CEHRT to you. The proposed rule leans heavily on the notion that clinicians will use 2015 CEHRT for 2017. Hospitals who have donated software to clinicians in the past should take this into consideration.
- Patient Portals: CMS offers more points to those who are meeting the harder, Stage 3-like measures. Unless they change the number of points available, those still meeting Stage 2-like measures will need to perform better on those in order to maximize points, portals being one such measure.
Keep in mind the rules are not yet final so things can change. Nonetheless, send us your thoughts on what CIOs need to think to prepare for MIPS.
Precision Medicine Update
Key Takeaway: Vice President Biden hosts Cancer Moonshot event.
Why it Matters: Data sharing, interoperability, patient access was among the topics front and center during the event. Interoperability continues to be a significant piece of the conversation about further advances in precision medicine and the Cancer Moonshot initiative.
CHIME’s CEO participated in an event at the White House earlier this year attended by the President, on precision medicine. CHIME’s partnership with Open Notes was unveiled and CHIME continues to push the need for patient access to their information. CHIME’s commitment to finding a solution to patient identification though our National Patient Identification $1 million Challenge will solve a critical barrier to interoperability.