Life Science Compliance Update

February 08, 2016

Electronic Health Records and the Meaningful Use Program: Is the End Near?

Let Doctors Be Doctors

Physicians are fed up with ERH, and are organizing with campaigns and creative music videos such as Let Doctors Be Doctors. They have even created an infographic outlining the problems with electronic health records .  The government finally seems to be listening.

While speaking both to members of industry and Congress, Andy Slavitt, Acting Administrator at the Centers for Medicare & Medicaid Services, hinted toward changes coming for the electronic health record Meaningful Use program. Citing the new MACRA law’s upcoming regulations, Slavitt noted the program will be different for physicians, prompting some to believe it will change from an “all or nothing” approach to one that may be more flexible and incentivizes using electronic records rather than offering penalties. CMS will have an important MACRA regulation in March, some speculate on March 25, which will outline changes to the Meaningful Use program, as it becomes a part of the new MACRA Merit-based Incentive Payment System.

The problem with EHRs

All of this is good news, especially to the American Medical Association. According to the AMA and other medical groups, one of their members’ biggest headaches is the rise of electronic health record systems, which they say are drowning physicians in red tape. Physicians say too much of their time is being taken up by clerical tasks. This is patently obvious if one views the website “Let Doctors Be Doctors,” where the voice of physicians uniformly speak against government mandates on electronic health records. This site was created as a forum to “amplify the voices of health care professionals and patients.”

“We need to talk about the elephant in the exam room. Electronic health records (EHRs) are failing to improve the connection between patients and providers—and distracting providers from their real work. With more than two-thirds of doctors saying they wouldn't recommend their EHR and the American Medical Association calling for a ‘major overhaul of EMR systems,’ it's time to demand change,” it further states. This and other campaigns have helped to inspire a significant amount of media attention and creative representations of the struggle faced by physicians, such as this viral YouTube hit “EHR State of Mind”.

The AMA’s campaign, “Break the Red Tape” calls for the government to postpone finalizing the Meaningful Use Stage 3 regulations on electronic health records in order to align the policy with other programs under the new Merit-based Incentive Payment System.

This comes as a new report indicates burnout among U.S. doctors is getting worse, showing physicians are worse off today than just three years earlier. Mayo Clinic researchers, working with the American Medical Association, compared data from 2014 to measures they collected in 2011 and found higher measures on the classic signs of professional burnout. More than half of physicians felt emotionally exhausted and ineffective. More than half also said that work was less meaningful.

Electronic health records play a role in this decline. “Instead of spending my days listening to patients and solving their problems, I feel that I spend most of my time struggling to make unique stories and needs fit into an arcane system of clicks and drop-down menus,” Dr. Laura Knudson, an Indiana family physician, recently told the Chicago Tribune. 

Congress and CMS Act to Expedite Exemptions

There has been some good news, however. Prior to adjourning for the holidays, Congress adopted legislation, S. 2425, the “Patient Access and Medicare Protection Act,” which included a provision granting CMS the authority to expedite applications for exemptions from Meaningful Use Stage 2 requirements for the 2015 calendar year. As described by the AMA in an email to stakeholders, in order to avoid a penalty under the meaningful use program, eligible professionals must attest that they met the requirements for meaningful use Stage 2 for a period of 90 consecutive days during calendar year 2015. However, CMS did not publish the Modifications Rule for Stage 2 of meaningful use until October 16. As a result, eligible professionals were not informed of the revised program requirements until fewer than the 90 required days remained in the calendar year.

A provision of the legislation adopted by Congress would grant CMS the authority to process requests for hardship exemptions to physicians through a more streamlined process, alleviating burdensome administrative issues for both providers and the agency. Members of Congress involved in the passing of the legislation include Rep. Tom Price, MD (R-GA), Sens. Orrin Hatch (R-UT) and Ron Wyden (D-OR), and numerous members of the House and Senate leadership from both parties.

However, this does not go as far as some have requested. In a November 20 letter from the GOP “Doctors Caucus” to Speaker of the House Paul Ryan, the 18-member caucus requested Speaker Ryan’s help in pressing for a delay of Stage 3 along with a blanket hardship waiver exception for Stage 2.

Implementation of more-stringent criteria is likely to create “a chilling effect on further EMR adoption as physicians conclude that the cost of implementation is simply not worth the bureaucratic hassle,” according to the letter. “Members of our caucus, as well as numerous congressional health care leaders, have engaged CMS on these issues to warn them of the potential negative consequences of placing these new requirements on providers in order to meet an arbitrary deadline. CMS has ignored Congress. Congressional action is the only solution left for preserving patient access, choice and quality.”

Additionally, CMS guidance on the legislation indicates the agency intends to focus on streamlining the application process. According to the application process for hardship exemptions from meaningful use penalties in 2015, CMS is allowing providers to check box “2.2.d” of the application for an exemption because the agency published its Stage 2 modification rule so late in the year. The penalties, which hit in 2017, total 3 percent of Medicare payments for providers who fail to attest to meaningful use or to get an exemption. Doctors and other eligible professionals have until March 15 to submit their applications for exemptions; hospitals have until April 1.

Meaningful Use Comments

In October, CMS and the Office of the National Coordinator for Health IT released the final rule for Stage 3 of the meaningful use program, modifications for 2015 through 2017 and the 2015 Edition Health IT Certification Criteria. The proposals for the meaningful use modifications for 2015 through 2017 and Stage 3 were combined into a single final rule, which was published on the Federal Register. Under the final rule, Stage 3 is optional in 2017, and providers who elect to begin Stage 3 that year will be able to attest for a 90-day reporting period. It will be mandatory in 2018 and contains eight reporting objectives for eligible professionals and hospitals, more than 60% of which require interoperability, compared with 33% under Stage 2.

In its comments, the American Medical Association recommended CMS allow for additional flexibilities, including multiple methods to meet the meaningful use program goals, elimination of the pass-fail structure of the program, and removing threshold requirements for performance measures. Other comments of note include the Healthcare Information and Management Systems Society (HIMSS), which expressed support for the rule. HIMSS asked that any changes made by CMS be published by February 29, 2016, so participants have enough time to prepare for the transitional year in 2017.

Health IT Security Concerns in 2016

As legislation moves in Congress and regulatory comments are shaping future health IT policies, stakeholders are outlining some concerns with the security of health records and other health IT programs. According to a report from PricewaterhouseCoopers’ Health Research Institute, the adoption and use of new health care technologies will help drive several new industry trends in 2016. During the year, many consumers will have their first video consults, be prescribed their first health apps, and use smartphones and diagnostic tools for the first time. Cybersecurity will be a major concern for these apps; however, they will help move the health care system away from the fee-for-service model as wireless technology improves. Remote technology will allow physicians to better manage health needs, and new databases will afford health systems the opportunity to analyze large and diverse datasets.

A report from Experian also raises security concerns, noting that data breaches will remain a top concern for the health care industry in 2016. According to the report, 90% of health care organizations have experienced a data breach within the last two years. Attacks will likely be focused on large insurers and health systems; however, “smaller incidents caused by employee negligence will also continue to compromise millions of records each year.”

Other reports echoing health IT security concerns go one step further. DirectTrust, a three-year old, non-profit, competitively neutral, self-regulatory entity created by and for participants in the Direct community, including Health Internet Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs), suggests that Meaningful Use faces an “uncertain future” in 2016 and 2017. They speculate that it could be delayed or entirely phased out. It cites physician groups concerned that Stage 3 does not align well with new health care requirements in the MACRA (Medicare Access and CHIP Reauthorization Act of 2015) law. Providers may be willing to face penalties instead of spending more money on health IT that they may not see adding value to their organization, the report also notes.

These reports come as Congress recently passed the Cybersecurity Act of 2015 as part of the 2016 omnibus spending package. The legislation requires the Department of Health and Human Services to provide the Senate HELP Committee and the House Energy and Commerce Committee with a report within one year. That report is to provide a clear statement concerning who is responsible for leading and coordinating efforts at HHS regarding cybersecurity threats in the healthcare industry and provide a plan from each relevant operating division and subdivision. The legislation also creates a healthcare industry cybersecurity task force.

January 29, 2016

Another Transparency Threat – Health Education Exchanges and Medical Identity Theft

We have previously drawn attention to some of the downsides of transparency as it relates to medical information. Those downsides typically revolve around the Sunshine Act and Open Payments data. However, there is another major concern about a yet another aspect of medical information transparency. Electronic health records, which allow a primary care physician to quickly send information to other physicians, are starting to become more prominent, easily accessible, and dangerous.

Health information exchanges (HIEs) allow doctors to share information amongst each other and help healthcare agencies to track and respond to emerging health threats. Storing patient medical records in the cloud instead of on-site helps cut down on IT costs and storage costs, and allows medical providers to focus on their primary mission of providing healthcare to patients.

While there are some positives to health records being easily accessible by medical professionals, medical data being so easily accessible also presents a huge attack surface for cyber thieves. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014 and those victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.

While the 2014 figures may astound you, The Washington Post reports that the Department of Health and Human Services (HHS) estimates over 120 million Americans have had some of their protected health information (PHI) compromised in data breaches since 2009.

Individual companies and agencies have reported their own data breaches of PHI as well. Excellus BlueCross BlueShield suffered a data breach that affected 10.5 million people; Premera had a breach that affected up to 11 million people; and the Office of Program Management breach affected up to 21.5 million. It is estimated that in total, as much as half of the United States population has had PHI compromised.

These data breaches are the results of a new form of cyber attack. While there isn't just one purpose or motivation behind cyber attacks, there are several plausible ones. One reason may be because when the cyber attackers steal medical identities, they are able to monetize the financial information included within them. Dwayne Melancon, chief technology officer with Tripwire, says that the healthcare industry is ahead of the retail industry, but behind the financial industry, when it comes to protecting consumer data. The growth of the Dark Web has provided a ready and simple market for thieves who sell financial and other personal information, such as medical records. As such, it is possible that cyber attackers are turning to an easier approach when it comes to taking your financial information.

Further, while financial information can be monetized almost immediately, medical records can take a bit longer to exploit. If someone seeking medical treatment is using health information of another patient to receive free medical care, they need to be sure their provider doesn't already know who the real patient is and that the identity they stole matches them and their health issues close enough so that the fraud will not be immediately detected.

It isn't just the possibility of free medical care that could be motivating healthcare cyber attackers. Personal medical information can also be useful to those perpetrating phishing attacks. Parents of children who are terminally ill who receive calls from their doctors, or others purporting to be linked to the doctor, are not likely to be as cautious when told their child has been recommended for a promising clinical trial, and may give financial information over the phone.

Another use for stolen health data is extortion. UCLA Health dealt with a data breach in July 2014, after which Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is to find personal health information on celebrities and hold that information for ransom or sell it to news organizations. He states that, "[t]he most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc."

Unfortunately, these data breaches are not always avoidable. Dwayne Melancon stated, "There is a tendency to say a company didn't know what they were doing. That is not always the case...In a lot of those cases it isn't negligence, its just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that."

When personal health information is exposed through breaches, patient lives can hang in the balance. It is important for all decision makers in healthcare organizations to understand these threats and work to combat them daily, from IT staff to privacy and compliance staff.

November 24, 2015

Stage III Meaningful Use CMS Doubles Down as Opposition Mounts

Despite Congressional interest in delaying Stage 3 of the electronic health record Meaningful Use program and the AMA coming out strongly against the roll out, HHS recently went forward and published its 752-page Final Rule for Stage 3 and Stage 2 modifications. One of the central pieces to the Affordable Care Act, along with the American Reinvestment and Recovery Act (ARRA) was the implementation and "meaningful use" of electronic health records (EHRs)—through the HITECH provision. Implemented in stages, Stage 3 is the final step of the program.

Final Rule

The 2015-2017 Meaningful Use (MU) Final Rule establishes MU program requirements for 2015 - 2017, creating a new "Modified Stage 2." All providers, including those in the Medicaid program, would attest to a single set of objectives and measures beginning in 2015. The Modified Stage 2 program reduces the number of requirements and lowers certain measure thresholds compared to Stage 2. All providers are required to move to Stage 3 beginning in 2018 regardless of their prior participation or Stage of MU.

The final rule establishes a modified version of Stage 2 for 2015 - 2017 for all participants. In 2015, all participants must follow Modified Stage 2 with accommodations for providers who were schedule to demonstrate Stage 1 in 2015. Next year, in 2016, all participants would follow the Modified Stage 2 with a smaller set of accommodations for providers who were scheduled to demonstrate Stage 1 in 2016. The following year, in 2017, participants may select to report on Modified Stage 2 or the full version of Stage 3 outlined in the Stage 3 rule. By 2018 all participants would follow the full version of Stage 3.

CMS recently announced a new FAQ that allows any provider to apply for a hardship exception for 2015 under the "extreme and uncontrollable" circumstances category due to the lateness of the modifications rule. The agency has also clarified that physicians switching EHRs or experiencing issues with a vendor product may apply for a hardship exemption under the existing "extreme and uncontrollable circumstances" category.

The MU Stage 3 Final Rule allows for a 60-day public comment period to continue to consider program changes and align requirements with the Medicare Access and CHIP Reauthorization Act (MACRA). This is the last stage of MU and Stage 3 requirements are optional in 2017 and mandatory for all participants in 2018, no matter when they started the MU program.

All Stage 3 MU participants (both physicians and hospitals) must meet 8 objectives. Each objective may include multiple measures. Objections include: (1) Protect Electronic Health Information; (2) Electronic Prescribing (eRx); (3) Clinical Decision Support (CDS); (4) Computerized Provider Order Entry (CPOE); (5) Patient Electronic Access; (6) Coordination of Care through Patient Engagement; (7) Health Information Exchange (HIE); and (8) Public Health and Clinical Data Registry Reporting.

Physicians in opposition, economics of practice changing in part due to Health IT

As reported by Politico, the American Medical Association helped lead the charge to pause finalization of the Stage 3 rules. AMA argued Stage 3 takes a "drastic step backwards" from CMS's proposed changes to Stage 2. The implementation of electronic health records has been especially difficult for independent and smaller physician practices—one of the most consistent arguments against moving forward with the MU program.

As also reported in Modern Healthcare, according to a recent report, independent practices acquired by hospitals are seeing operating costs spike as they try to keep up with the federal electronic health record requirements. Multispecialty physician practices spent an average of $20,693 per full-time-equivalent doctor in 2014, a 12% increase from the year before and a 34% increase from 2010.

More than 3,100 physician groups were surveyed for the report, which includes information on other administrative issues such as staffing ratios. It found that between 2010 and 2014, physician practices increased use of non-physician providers, such as physician assistants and nurse practitioners, to meet demand and compete to hire from a limited supply of doctors. Administrative burdens and costs related to running an independent practice has a growing number of physicians opting to become employees of hospitals. Reports indicate that physicians will continue leaving private practice to work for hospitals and that only a third of physicians would remain independent by the end of 2016.

Along these lines, Politico recently asked if electronic health records are creating a spike in hospital mergers. According to American Hospital Association CEO Rick Pollack in a recent House Judiciary Committee hearing, he estimated hospitals will spend between $20 million and $200 million on EHRs each year depending on their size, and that dollar amount is unmanageable for smaller hospitals. This causes them to merge and results in fewer players in the market. "The fundamental restructuring that CMS anticipates in response to its alternative reimbursement models will undoubtedly come with a high cost that will be particularly difficult to bear for small and stand-alone hospitals," Pollack testified.

GOP Doctors Caucus Resistance

In line with the aforementioned physician resistance, the GOP Doctors Caucus announced plans to ask House of Representatives Speaker Paul Ryan for end-of-year legislation to include a delay in Stage 3 of meaningful use and broad exemptions for the programs penalties. This forthcoming letter is in addition to a letter sent in September to the Obama administration. The September letter asked for a delay in meaningful use Stage 3, and was signed by approximately 25% of House members. 

Tennessee Representative Phil Roe, chairman of the GOP Doctors Caucus, said, "Many of us believe the appropriations process is also an effective way to get this done. The Caucus is open to various vehicles for these requests and looks forward to working with Speaker Ryan and other House leaders on these important initiatives."

Problems with vendors

Over the past year, health IT vendors have come under scrutiny for the practice of intentionally blocking the sharing of patient information, hurting progress toward a national goal of interoperability. New legislation, the Transparent Ratings on Usability and Security to Transform Information Technology Act of 2015, or the "TRUST IT Act" hopes to combat this practice. The legislation aims to ensure that certified health IT systems are performing as promised in the field, and establish a rating system that will enable consumers to compare different products based on that performance.

According to Senator Bill Cassidy's press release—one of the three Senate physiciansthe legislation will also:

  • Authorize the Office of the National Coordinator for Health Information Technology to make publicly available information, such as summaries, screen shots, or video demonstrations, showing how certified health information technology meets certification requirements;
  • Require the certification program to establish that health IT products meet applicable security requirements, incorporate user-centered design, and achieve interoperability, consistent with the reporting criteria developed for the Health IT Rating Program;
  • Require health IT vendors to attest they do not engage in certain information blocking activities, including nondisclosure clauses in their contracts, as a condition of certification and maintenance of certification;
  • Authorize the Inspector General of the Department of Health and Human Services to investigate claims of information blocking and assess civil monetary penalties on any person or entity determined to have committed information blocking.

This comes after CMS also published recommendations earlier this year to address the information blocking problem, including:

  • Assisting federal and state law enforcement agencies in identifying information blocking cases that violate current laws;
  • Bolstering oversight of certified health IT capabilities "in the field" through new requirements;
  • Creating a nationwide health information exchange governance framework;
  • Requiring certified health IT developers to disclose additional costs, limitations and restrictions associated with their products;
  • Working with CMS to create incentive payments that reward interoperability and health data sharing; and
  • Working with HHS' Office for Civil Rights to educate stakeholders on how HIPAA privacy and security standards apply to information sharing.

Now, despite federal rules, many developers of electronic health records are not meeting federal design requirements, according to research published in JAMA. The researchers from the National Center for Human Factors in Healthcare at MedStar Health in Washington, D.C. found that not all vendors filed required reports on usability testing. The report adds to the mounting concern that EHRs are failing to raise the quality and safety of healthcare and lower its costs.

Gag orders, another previously raised issue, are a separate, but related concern. A Politico investigation found that some of the biggest firms marketing electronic record systems inserted "gag clauses" in their taxpayer-subsidized contracts, effectively forbidding health care providers from talking about glitches that slow their work and potentially jeopardize patients. The website obtained 11 contracts through public record requests from hospitals and health systems in New York City, California, and Florida that use six of the biggest vendors of digital record systems. With one exception, each of the contracts contains a clause protecting potentially large swaths of information from public exposure. This is the first time the existence of the gag clauses has been conclusively documented. Politico faults the government's slow response, noting that little has been done to address the problem despite many years of warnings.

 

Conclusion

There is a significant amount of opposition to current health information technology policies both within the government and the larger medical community. Stage 3 of Meaningful Use could ultimately be delayed through Congressional action, and larger legislative fixes may be necessary to combat the litany of problems raised by stakeholders over the past few years. The ultimate goals of electronic health records may be laudable, but the unintended consequences could be far greater than the Administration had originally perceived.

Newsletter


Preview | Powered by FeedBlitz

Search


 
Sponsors
April 2017
Sun Mon Tue Wed Thu Fri Sat
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30