The Office of the National Coordinator for Health Information Technology (ONC) has released a revised Guide to Privacy and Security of Electronic Health Information. The guide is intended to help health care providers – especially those from smaller organizations – address federal health information privacy and security requirements in their practices. The new version updates information regarding compliance with privacy and security requirements under the Medicare and Medicaid EHR Incentive Programs, along with the HIPAA Privacy, Security, and Breach Notification Rules.
On March 30, 2015, the Centers for Medicare & Medicaid Services (CMS) published its proposed rule on Stage 3 meaningful use criteria, which focus on the advanced use of Electronic Health Record (EHR) technology to promote improved outcomes for patients. The proposed rule would establish the requirements that eligible professionals (EPs), eligible hospitals, and critical access hospitals must achieve to demonstrate meaningful use, qualify for Medicare and Medicaid EHR Incentive Program incentive payments, and avoid downward Medicare payment adjustments. CMS generally intends for the proposed changes to respond to provider concerns regarding the burden associated with the number of program requirements, the multiple stages of program participation, and the timing of EHR reporting periods.
Notably, while CMS had previously announced that Stage 3 would begin in 2017, CMS is making Stage 3 compliance optional for 2017. Instead, beginning in 2018 all providers would report on the same definition of meaningful use at the Stage 3 level regardless of their prior participation. The proposed rule also would reduce the overall number of meaningful objectives to eight to focus on advanced use of EHRs (Protect Patient Health Information, Electronic Prescribing (eRx), Clinical Decision Support (CDS), Computerized Provider Order Entry (CPOE), Patient Electronic Access to Health Information, Coordination of Care through Patient Engagement, Health Information Exchange (HIE), and Public Health and Clinical Data Registry Reporting). In addition, CMS would align clinical quality measure reporting with other CMS quality reporting programs that use certified EHR technology (e.g., the Hospital Inpatient Quality Reporting and Physician Quality Reporting System programs), enhance alignment across care settings, and remove measures that are redundant or topped out.
CMS expects net incentive payment spending under the Medicare and Medicaid EHR Incentive Programs to total $3.7 billion between 2017 and 2020 (which reflects $0.8 billion in negative payment adjustments for Medicare providers who do not achieve meaningful use). The comment period ends on May 29, 2015.
In a related development, on March 30 the Office of the National Coordinator for Health Information Technology (ONC) published a proposed rule to establish the 2015 edition health information technology certification criteria, establish a new 2015 Edition Base EHR definition, and modify the ONC Health Information Technology (IT) Certification Program to make it more broadly applicable to other types of health IT health care settings and programs. Among other things, the rule would: (1) adopt new and updated vocabulary and content standards for the structured recording and exchange of health information; (2) include enhanced data portability, transitions of care, and application programming interface capabilities in the 2015 Edition Base EHR definition; (3) align certification criteria with proposals for Stage 3; (4) provide certification to standards for the collection of social, psychological, and behavioral data to address health disparities; (5) provide for the exchange of sensitive health information and for the accessibility of health IT; (6) ensure all health IT presented for certification possesses the relevant privacy and security capabilities; (7) take a series of steps to improve patient safety; and (8) establish surveillance and disclosure requirements. Comments are due May 29, 2015.
The OIG has released its March 2015 “Compendium of Unimplemented Recommendations,” which highlights the OIG’s top 25 recommendations for cost savings and/or quality improvements in HHS programs, along with other significant unimplemented recommendations. High-priority recommendations address the following areas, among others:
- Payment Policies and Practices: Expand the DRG window to include additional days prior to the inpatient admission and other hospital ownership arrangements; establish a hospital transfer payment policy for early discharges to hospice care; and reduce hospital outpatient department payment rates for ambulatory surgical center-approved procedures.
- Billing and Payment: Develop oversight mechanisms for the home health face-to-face requirement; change the method for determining how much therapy is needed to ensure appropriate skilled nursing facility payments; detect and recoup improper Medicare payments made for services rendered to incarcerated beneficiaries; implement an automated system to recalculate outlier claims to facilitate reconciliations; and provide states with definitive guidance for calculating the federal upper payment limit (UPL), including using facility-specific UPLs that are based on actual cost report data.
- Contractor Oversight: Utilize and report Zone Program Integrity Contractors’ (ZPICs') workload statistics in ZPIC evaluations.
- Grants and Contracts: The National Institutes of Health (NIH) should promulgate regulations addressing institutional financial conflict of interest.
- Program and Financial Management: Reduce significant variation in states’ personal care services laws and regulations; and standardize administrative law judge level case files and make them electronic.
- Quality of Care and Safety: Broaden patient safety efforts to include all types of adverse events; require states to report on vision and hearing screening data; strengthen oversight of state access standards for Medicaid managed care; and expand regulatory authority and oversight of dietary supplements.
- Emergency Preparedness: Establish effective hospital emergency preparedness and response policies.
- Health Information Technology: Improve the Transformed Medicaid Statistical Information System; and address fraud vulnerabilities in EHRs.
- Program Integrity: Increase reviews of clinicians associated with high cumulative payments; and restrict certain beneficiaries to a limited number of pharmacies or prescribers.
- Affordable Care Act: Improve internal CMS controls related to determining applicants’ eligibility for enrollment in quality health plans and eligibility for insurance affordability programs.
While some of these recommendations could be achieved administratively, other policies would require legislative changes to implement.
On March 10, 2015, the Senate Health, Education, Labor and Pensions (HELP) Committee held a hearing on “Continuing America’s Leadership in Medical Innovation for Patients,” featuring testimony from NIH Director Francis Collins, MD, PhD, and FDA Commissioner Margaret Hamburg, MD.
On March 17, the HELP Committee has scheduled a hearing on “America’s Health IT Transformation: Translating the Promise of Electronic Health Records into Better Care.” The Senate Finance Committee is holding a hearing on the “Affordable Care Act at Five Years” on March 19.
The Energy and Commerce has not yet rescheduled a previously-announced hearing on the 340B drug pricing program that was cancelled due to weather.
On January 30, 2015, the HHS Office of the National Coordinator for Health Information Technology (ONC) released a draft “Roadmap” to promote safe and secure exchange and use of electronic health information. The document “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Version 1.0,” focuses on actions intended to reach the ambitious goal of enabling a majority of individuals and providers to send, receive, find, and use a common set of electronic clinical information at the nationwide level by the end of 2017. To that end, the report focuses on: (1) establishing a coordinated governance framework and process for nationwide health IT interoperability; (2) improving technical standards and implementation guidance for sharing and using a common clinical data set; (3) enhancing incentives for sharing electronic health information according to common technical standards; and (4) clarifying privacy and security requirements that enable interoperability. Comments on the draft Roadmap document will be accepted until April 3, 2015.
ONC also released a draft of the 2015 Interoperability Standards Advisory, containing an initial version of what ONC currently considers to be the best available standards and implementation specifications for many clinical health data interoperability purposes. The public comment period for the Standards Advisory closes May 1, 2015.
HHS has sent to the White House Office of Management and Budget (OMB) for final regulatory clearance a proposed rule on Stage 3 meaningful use criteria for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. The Stage 3 rule will focus on advanced use of EHR technology to promote improved outcomes for patients, and it propose changes to the reporting period, timelines, and structure of the program, including providing a single definition of meaningful use. Likewise, HHS is seeking review of proposed rule that would, among other things, establish a new 2015 Edition Base EHR definition and modify the ONC Health Information Technology (IT) Certification Program to make it more broadly applicable to other types of health IT health care settings and programs. The rules are not available yet, but could be approved for publication in the Federal Register at any time.
The HHS Office of the National Coordinator for Health Information Technology (ONC) is seeking comments on its Federal Health IT Strategic Plan 2015-2020. The plan represents a broad federal strategy for collecting, sharing, and using interoperable health information to improve health care and public health, and advance research within the federal government and in collaboration with private industry. Comments will be accepted until February 6, 2015
The Office of the National Coordinator for Health Information Technology (ONC) is launching the “Market R&D Pilot Challenge,” which will bring together health care organizations and innovative companies to test new health information technology products through pilot funding awards and facilitated matchmaking. Pilot proposals could be awarded in three domains: clinical environments (e.g., hospitals, ambulatory care, surgical centers); public health and community environments (e.g., public health departments, community health workers, mobile medical trucks, school- and jail-based clinics); and consumer health (e.g., self-insured employers, pharmacies, laboratories). Among other things, the program is intended to encourage early collaboration between entrepreneurs, medical and public health personnel, patients, and the research community in efforts to link health IT innovation to care delivery innovation. Up to 6 winning proposals will each receive a $50,000 award.
The Government Accountability Office (GAO) has assessed the effectiveness of CMS controls intended to protect the security and privacy of the information and information technology (IT) systems used to support Healthcare.gov. The GAO determined that while CMS has taken steps to protect Healthcare.gov security and privacy, “weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.” The GAO warns that until such weaknesses are fully addressed, risks remain with regard to unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, along with potential disruption of services. The GAO made a series of recommendations to implement security and privacy management controls related to Healthcare.gov. For details, see the full report, “Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls.”
HHS Workshop: Integrating Plans for Long-Term Services and Supports & Health Care Delivery through Health IT (Oct. 16)
On October 16, 2014, the Administration for Community Living (ACL) and the HHS Office of the National Coordinator on Health Information Technology (ONC) are holding a public workshop entitled “Putting the Person at the Center: Integrating Plans for Long-Term Services and Supports and Health Care Delivery through Health Information Technology.” The workshop will focus on the use of health information technology to enable a person-centered approach for planning and delivering long-term services and supports and health care, including how to improve communication and collaboration among community-based organizations and health care partners. The agenda includes care planning, technology and integration; key opportunities and challenges; and delivery and payment reform policy levers. The registration deadline for the event is October 10, 2014.
The Office of the National Coordinator for Health Information Technology (ONC) published a final rule on September 11, 2014 that is intended to introduce regulatory flexibilities with regard to certification to the 2014 Edition Electronic Health Records (EHR) Certification Criteria. The rule also codifies certain revisions to the ONC Health Information Technology (HIT) Certification Program for certification to the 2014 Edition and future editions, and it makes administrative updates to associated regulations. ONC specifies that EHR technology developers do not have to update and recertify their products to the revised 2014 Edition Release (also referred to as the “2014 Edition Release 2”), nor do eligible providers have to upgrade to EHR technology certified to the 2014 Edition Release 2, although ONC encourages such stakeholders “to consider whether the 2014 Edition Release 2 offers any opportunities that they might want to pursue.”
Senate Finance Committee Chairman Ron Wyden and Ranking Member Chuck Grassley are asking providers, patients, insurers, entrepreneurs, and other stakeholders for ideas on ways to improve the availability and utility of health care data, while protecting patient privacy. In particular, the Senators are requesting information on: the data sources that should be made more broadly available; the form such data should be conveyed; ways to reduce the unnecessary fragmentation of health care data; and reforms to overcome barriers that stand in the way of effective use of existing data sources. Comments will be accepted until August 12, 2014.
Recent Congressional hearings on health policy issues include the following:
- A House Energy and Commerce Health Subcommittee “21st Century Cures Roundtable” discussed steps Congress can take to bridge the gap between medical advances and the regulatory policies that govern them, and ultimately advance digital and personalized health care. The panel also released a related white paper on digital health care and is seeking feedback on this topic through July 22, 2014.
- The Energy and Commerce Oversight Subcommittee held a hearing on “Medicare Program Integrity: Screening Out Errors, Fraud, and Abuse.” The Committee also held hearings on health care access under the ACA.
- The Senate Special Committee on Aging held a hearing entitled “State of Play: Brain Injuries and Diseases of Aging.”
- The Ways and Means Health Subcommittee held a hearing on MedPAC's June Report to the Congress on Medicare delivery reforms.
- The House Oversight and Government Reform Committee held a hearing on health insurance company profits under the ACA.
On Wednesday, April 30, 2014, the House Ways and Means Committee will focus on “Ideas to Improve Medicare Oversight to Reduce Waste, Fraud and Abuse." On May 1, the House Energy and Commerce Health Subcommittee is holding a hearing on “Telehealth to Digital Medicine: How 21st Century Technology Can Benefit Patients."
The Office of the National Coordinator for Health Information Technology (ONC) is seeking comments on revisions to health information technology certification regulations for 2015. CMS is updating these criteria more frequently to provide more incremental regulatory changes, give stakeholders earlier information and greater opportunity for input, and respond more quickly to newer industry standards to enhance interoperability. ONC observes that its previous two to three-year regulatory cycle was “sub-optimal” because it “created cycles of significant peaks and valleys from a health IT development standpoint; resulted in missed opportunities to improve interoperability and programmatic alignment because of mismatched regulatory and standards balloting cycle timelines; and adversely affected EHR technology developers’ ability to strategically plan their development and product rollout processes due to uncertain regulatory timelines.” The proposed rule provides that the 2015 Edition EHR certification criteria would be voluntary; providers would not need to adopt this edition, and no EHR technology developer who has certified its EHR technology to the 2014 Edition would need to recertify to the 2015 Edition for users to participate in the Medicare and Medicaid EHR Incentive Programs. The proposed rule also includes revisions to the ONC HIT Certification Program intended to improve regulatory clarity, simplify certification of EHR Modules not used for achieving meaningful use; and discontinue the use of the “Complete EHR” certification concept. ONC will accept comments on proposed rule until April 28, 2014.
CMS has released additional tools to help health plans, vendors, and providers prepare to demonstrate that they are compliant with Administrative Simplification Transaction Testing standards and operating rules and that they have completed end-to-end testing with their trading partners. Specifically, CMS has released payer, large provider, small provider, vendor-to-provider, and vendor-to-payer checklists to assist these segments as they perform multiple levels of testing, including end-to-end testing.
President Obama has signed into law the Consolidated Appropriations Act of 2014, which provides $1.012 trillion in discretionary funding for the operations of the federal government through September 30, 2014. In addition to setting overall funding levels for HHS agencies, the law specifies funding for numerous HHS policies and initiatives, such as additional funding for program integrity effort involving the 340B drug pricing program and research on the impact of health information technology on patient safety, and reduced funding for the IPAB and certain other ACA activities. The agreement also includes directives for HHS to improve fraud and abuse efforts, including using the latest technology to ensure only valid beneficiaries and valid providers receive benefits (although on the other hand, the agreement raises concerns that the Recovery Audit Contractor program includes incentives “to take overly aggressive actions”). In addition, the agreement highlights more Congressional interest in more narrow HHS policies, such as objections to the criteria CMS uses to package drug costs under the hospital outpatient prospective payment system, and concerns that rural patients maintain access to needed health services if CMS proceeds with a proposal to remove critical access hospital status from certain facilities.
The OIG has concluded that the HHS Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. In short, the OIG found that OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess Security Rule compliance. OCR also failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule. The report findings and recommendations are discussed in a posting on our Life Sciences Legal Update blog.
Congressional committees continue to focus on the experience of consumers and insurers since the HealthCare.gov insurance portal launched on October 1, along with potential issues related to the security of personal data transmitted through the site. For instance, House hearings this week include an Oversight and Government Reform Committee hearing on “ObamaCare Implementation: The Rollout of HealthCare.gov”; a Homeland Security Committee on “Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov?"; and an Energy and Commerce Committee hearing titled “Obamacare Implementation Problems: More than Just a Broken Website.” Next week, the Energy and Commerce Committee also will examine the security of the HealthCare.gov site.
In other policy areas, on November 14, the House Small Business Committee is holding a hearing on “Self-Insurance and Health Benefits: An Affordable Option for Small Business.” On November 15, the Energy and Commerce Subcommittee on Health will review the FDA’s implementation of the Food and Drug Administration Safety and Innovation Act, and on November 19 the panel will focus on federal regulation of mobile medical apps and other health software.
Recent Congressional hearings on health policy issues include the following:
- A House Energy and Commerce Health Subcommittee a hearing entitled “PPACA Pulse Check: Part 2,” focusing on ACA readiness and implementation issues (Part 1 of the hearing was on August 1, 2013).
- A House Homeland Security Cybersecurity Subcommittee hearing on “The Threat to Americans’ Personal Information: A Look into the Security and Reliability of the Health Exchange Data Hub.”
- A Senate Health, Education, Labor and Pensions Committee hearing on the “Dental Crisis in America: The Need to Address Cost.”