Cyber Security Gets Spotlight during Washington Summit, Agencies Plan Next Steps
Key Takeaway: Federal officials in the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) last week expressed their expectations that the healthcare sector will endure increased cyber attacks in the coming year. Meanwhile, officials at the FDA announced a new partnership with a Department of Homeland Security-supported organization and separately announced plans to hold a summit on device cybersecurity in October.
Why it Matters: The increased volume of conversation concerning cyber security from officials in the healthcare sector indicates raised visibility by Health Insurance Portability and Accountability Act (HIPAA) enforcers, which are expected to lead to more audits and more penalties for non-compliance.
A joint summit held by the HHS OCR and the National Institute of Standards and Technology (NIST) revealed that federal officials believe cyber attacks in the healthcare sector will rise in the coming year. Officials pointed to the need for covered entities to perform regular HIPAA security audits of their health IT systems, indicating plans for increased scrutiny of provider security practices.
In related news the Food and Drug Administration (FDA) signed a memorandum of understanding (MOU) between its Center for Devices and Radiological Health and the National Health Information Sharing & Analysis Center (NH-ISAC), a nonprofit dedicated to security intelligence and information sharing. The MOU would help the two identify and mitigate cyber security threats to medical devices. “The parties intend to work together to establish how stakeholders can interface with FDA regarding medical device or health care cyber security vulnerability information-sharing,” the memo states. “This collaboration will help inform a common understanding of that risk threshold upon which exploit of a vulnerability might impact on patient safety and/or public health.”
Separately, the FDA announced a two-day workshop October 21 and 22 to gather input from the health community regarding the cyber security of medical devices. The workshop seeks to “catalyze collaboration among all healthcare and public health stakeholders…to identify barriers to promoting cooperation; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community to strengthen medical device cyber security. Interested individuals should register for the event here.
Legislation & Politics
ACO Bill Would Increase Telemedicine Coverage
Key Takeaway: Reps. Diane Black (R-TN) and Peter Welch (D-VT) introduced the Accountable Care Organization ACO) Improvement Act of 2014, HR 5558 (http://welch.house.gov/uploads/ACO%20Bill%20Text.pdf), last week to expand ACO coverage for remote patient monitoring and store and forward image sharing technologies with the goal of improving care coordination.
Why It Matters: Rep. Diane Black, a nurse for over 40 years, has become a champion of health IT over the last few years. This bill not only supports the transition from fee-for-service to value-based reimbursement, but also the utilization of health IT to eliminate waste in the healthcare system and improve outcomes.
According to a statement (http://black.house.gov/press-release/representatives-black-and-welch-introduce-legislation-advance-health-care-system) released by both offices, the bill has 3 areas of focus:
- Additional incentives emphasizing health outcomes over services performed
- Increasing collaboration between patients and their doctors
- Provide ACOs with additional tools needed for success
To address these focus areas, the bill would expand telehealth as described above, allow patients to choose the primary care physician within the ACO they are assigned, and increase Medicare data sharing among other things.
Advocates Reiterate Need for Timely Implementation of ICD-10; Survey Data Indicates Continued Readiness Lag
Key Takeaway: Hoping to avoid a third delay, ICD-10 proponents took to Capitol Hill this week, arguing that further delays in the adoption of the system would waste hundreds of millions of dollars and damage efforts to improve the health system. Meanwhile, new survey data released by the Workgroup for Electronic Data Interchange (WEDI) indicates little progress has been made towards implementation and testing of ICD-10 by providers.
Why It Matters: ICD-10 implementation has been delayed for nearly seven years, and advocates on both sides of the issue appear ready to make their cases again in the new Congress. Survey data indicates that providers need to be more proactive in the next 6-8 months to be ready for the transition; however, uncertainty created by Congress’s intention makes such investment risky.
Briefing hosts, including payers, coders and providers, reminded Congressional staff that ICD-9 coding system was adopted in 1975. They argued ICD-10 will help the industry keep better track of changing treatments, give providers more specific diagnostic codes, improve public health data and hopefully lower the amount of haggling over reimbursement, they said. CMS last month estimated that the current delay in ICD-10's implementation could cost the health care industry up to $6.8 billion.
Provider progress in transitioning to ICD-10 is slow, according to a survey released last Thursday WEDI. The multi-stakeholder advisory group gathered results from 324 providers, 87 vendors and 103 health plans, indicating little progress in readiness from a year ago. In a letter sent to HHS Secretary Sylvia Matthews Burwell, WEDI officials said a majority of vendors were almost ready for ICD-10, and nearly three quarters of health plans had completed an impact assessment, compared to two-third in the last survey last October. But only half of providers had completed an impact assessment — no change from last year. “Vendors and health plans continue to make progress, but some tasks are slipping into 2015, particularly those related to testing,” Jim Daley, chair of WEDI, wrote in the letter. “… While the delay provides more time for the transition to ICD-10, many organizations are not taking full advantage of this.”
CMS recently announced the need for approximately 850 volunteers to comprehensively test ICD-10 in the first of three rounds of planned “end-to-end” testing that will take place before the implementation of the new code system. The testing weeks will be: November 17-21, March 2-6 and June 1-5.
A final rule from the CMS stated that ICD-10 will go into effect on Oct. 15, 2015.
HIPAA Audits to be Used for Enforcement
Key Takeaway: Your next HIPAA Audit could lead to a further compliance investigation according to the OCR at a conference they co-hosted with the National Institute of Standards and Technology (NIST).
Why It Matters: Privacy and security continues to be one of the highest concerns in healthcare. This enforcement announcement further proves the need for more improvements in the area of privacy and security in healthcare.
After a series of pilot audits in 2012, OCR decided to expand the audits to make sure healthcare providers are complying with HIPAA privacy and security rules. The original audits were used to track industry compliance, but under the new, permanent model, the desk audits could lead to further enforcement. While the next phase of audits don’t have an official start date, they will involve covered entities and business partners.
Click here to read more about the HIPAA Privacy, Security, and Breach Notification Audit Program (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/). OCR also expects to release new guidance on breach notification, breach risk assessments, minimum necessary requirements and HIPAA marketing rules.
Edited by Gabriel Perna for style