Life Science Compliance Update

March 16, 2016

Office of the National Coordinator for Health Information Technology Proposes Rule on Information Blocking

The United States Department of Health and Human Services released a proposed rule last week that would permit the Office of the National Coordinator for Health Information Technology (ONC) to review certified health IT products for information blocking, in addition to potential risks to patient safety and public health. The proposed rule also gives ONC increased power to regulate authorized certification-testing bodies.

Background

The ONC Health IT Certification Program was established as a Temporary Certification Program in June 2010, and was later transitioned into a Permanent Certification Program in January 2011. In September 2012, certification criteria were established to provide a clear implementation direction to ONC-Authorized Certification Bodies for certifying Health IT Modules.

In October 2015, HHS published a final rule that identified how health IT certification can support the establishment of an interoperable nationwide health information infrastructure through the certification and use of adopted new and updated vocabulary and content standards for structured recording and exchange of health information. This final rule also included provisions to increase the transparency of information related to health IT certified under the program.

The impetus behind this proposed rule is that as certified capabilities interact with other capabilities in certified health IT and with other products, it is important to ensure that concerns within the scope of the Program can be appropriately addressed.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended the Public Health Service Act (PHSA) in an attempt to improve the quality, safety, and efficiency of health care through the promotion of health IT and electronic health information exchange. The HITECH Act also required the National Coordinator for Health Information Technology perform specific statutory duties, including keeping or recognizing a program for the voluntary certification of health information technology.

This proposed rule proposes to expand the ONC's role in the Program to encompass the ability to directly review health IT certified under the Program and address non-conformities found in certified Health IT, as well as propose processes for ONC to timely and directly address testing issues. According to the drafters of the Rule, increased transparency and publication of identifiable surveillance results would support further accountability of health IT developers to their customers and users of certified health IT.

The Proposed Rule

The proposed rule asks to expand the ONC's role to encompass the ability to directly review health IT certified under the Program, independently of reviews conducted by ONC-ACBs. These reviews would extend beyond the continued conformance of the certified health IT's capabilities with specific certification criteria, test procedures, and certification requirements and would also extend to the interaction of certified and uncertified capabilities within the certified health IT.

ONC would also have broad discretion to review certified health, though the drafters of the rule anticipate that such a review would be relatively infrequent and would focus on situations that pose a risk to public health or safety.

The proposed rule also gives authority to ONC to initiate a direct review whenever it becomes aware of information, whether from the general public, interested stakeholders, ONC'ACBs, or by any other means, that certified health IT may not conform to the requirements of its certification.

The rule also proposes to require ONC-ACBs to make identifiable surveillance results publicly available on their websites on a quarterly basis. The rule drafters believe that by publishing "positive" surveillance results, as well as "negative" ones, will provide a more complete context of surveillance.

Analysis and Conclusion

According to Sherilyn Pruitt, director of ONC's Office of Programs and Engagement, "our goal is to work with developers. Our goal is not to get to decertification." Ms. Pruitt expects the office to work with noncompliant vendors to develop action plans to fix their products and practices.

The proposed rule follows announcements by dozens of health IT vendors, major health systems, and other industry organizations, that they will provide wider consumer access to health data, avoid information blocking, and adopt federally recognized interoperability standards. In announcing the interoperability pledge, HHS Secretary Sylvia Mathews Burwell stated, "we must demand interoperability. We have to work together to unblock data."

The proposed rule also comes after the Precision Medicine Initiative Summit at the White House, where data liquidity was in focus. According to national health IT coordinator Dr. Karen DeSalvo, "the president of the United States has a keen interest in seeing that data moves. We would like to see change [to interoperability] as rapidly as possible, but as safely and securely as possible."

Comments will be accepted on the proposed rule through May 2, 2016, and can be submitted via the Federal eRulemaking Portal or the mail.

February 08, 2016

Electronic Health Records and the Meaningful Use Program: Is the End Near?

Let Doctors Be Doctors

Physicians are fed up with ERH, and are organizing with campaigns and creative music videos such as Let Doctors Be Doctors. They have even created an infographic outlining the problems with electronic health records .  The government finally seems to be listening.

While speaking both to members of industry and Congress, Andy Slavitt, Acting Administrator at the Centers for Medicare & Medicaid Services, hinted toward changes coming for the electronic health record Meaningful Use program. Citing the new MACRA law’s upcoming regulations, Slavitt noted the program will be different for physicians, prompting some to believe it will change from an “all or nothing” approach to one that may be more flexible and incentivizes using electronic records rather than offering penalties. CMS will have an important MACRA regulation in March, some speculate on March 25, which will outline changes to the Meaningful Use program, as it becomes a part of the new MACRA Merit-based Incentive Payment System.

The problem with EHRs

All of this is good news, especially to the American Medical Association. According to the AMA and other medical groups, one of their members’ biggest headaches is the rise of electronic health record systems, which they say are drowning physicians in red tape. Physicians say too much of their time is being taken up by clerical tasks. This is patently obvious if one views the website “Let Doctors Be Doctors,” where the voice of physicians uniformly speak against government mandates on electronic health records. This site was created as a forum to “amplify the voices of health care professionals and patients.”

“We need to talk about the elephant in the exam room. Electronic health records (EHRs) are failing to improve the connection between patients and providers—and distracting providers from their real work. With more than two-thirds of doctors saying they wouldn't recommend their EHR and the American Medical Association calling for a ‘major overhaul of EMR systems,’ it's time to demand change,” it further states. This and other campaigns have helped to inspire a significant amount of media attention and creative representations of the struggle faced by physicians, such as this viral YouTube hit “EHR State of Mind”.

The AMA’s campaign, “Break the Red Tape” calls for the government to postpone finalizing the Meaningful Use Stage 3 regulations on electronic health records in order to align the policy with other programs under the new Merit-based Incentive Payment System.

This comes as a new report indicates burnout among U.S. doctors is getting worse, showing physicians are worse off today than just three years earlier. Mayo Clinic researchers, working with the American Medical Association, compared data from 2014 to measures they collected in 2011 and found higher measures on the classic signs of professional burnout. More than half of physicians felt emotionally exhausted and ineffective. More than half also said that work was less meaningful.

Electronic health records play a role in this decline. “Instead of spending my days listening to patients and solving their problems, I feel that I spend most of my time struggling to make unique stories and needs fit into an arcane system of clicks and drop-down menus,” Dr. Laura Knudson, an Indiana family physician, recently told the Chicago Tribune. 

Congress and CMS Act to Expedite Exemptions

There has been some good news, however. Prior to adjourning for the holidays, Congress adopted legislation, S. 2425, the “Patient Access and Medicare Protection Act,” which included a provision granting CMS the authority to expedite applications for exemptions from Meaningful Use Stage 2 requirements for the 2015 calendar year. As described by the AMA in an email to stakeholders, in order to avoid a penalty under the meaningful use program, eligible professionals must attest that they met the requirements for meaningful use Stage 2 for a period of 90 consecutive days during calendar year 2015. However, CMS did not publish the Modifications Rule for Stage 2 of meaningful use until October 16. As a result, eligible professionals were not informed of the revised program requirements until fewer than the 90 required days remained in the calendar year.

A provision of the legislation adopted by Congress would grant CMS the authority to process requests for hardship exemptions to physicians through a more streamlined process, alleviating burdensome administrative issues for both providers and the agency. Members of Congress involved in the passing of the legislation include Rep. Tom Price, MD (R-GA), Sens. Orrin Hatch (R-UT) and Ron Wyden (D-OR), and numerous members of the House and Senate leadership from both parties.

However, this does not go as far as some have requested. In a November 20 letter from the GOP “Doctors Caucus” to Speaker of the House Paul Ryan, the 18-member caucus requested Speaker Ryan’s help in pressing for a delay of Stage 3 along with a blanket hardship waiver exception for Stage 2.

Implementation of more-stringent criteria is likely to create “a chilling effect on further EMR adoption as physicians conclude that the cost of implementation is simply not worth the bureaucratic hassle,” according to the letter. “Members of our caucus, as well as numerous congressional health care leaders, have engaged CMS on these issues to warn them of the potential negative consequences of placing these new requirements on providers in order to meet an arbitrary deadline. CMS has ignored Congress. Congressional action is the only solution left for preserving patient access, choice and quality.”

Additionally, CMS guidance on the legislation indicates the agency intends to focus on streamlining the application process. According to the application process for hardship exemptions from meaningful use penalties in 2015, CMS is allowing providers to check box “2.2.d” of the application for an exemption because the agency published its Stage 2 modification rule so late in the year. The penalties, which hit in 2017, total 3 percent of Medicare payments for providers who fail to attest to meaningful use or to get an exemption. Doctors and other eligible professionals have until March 15 to submit their applications for exemptions; hospitals have until April 1.

Meaningful Use Comments

In October, CMS and the Office of the National Coordinator for Health IT released the final rule for Stage 3 of the meaningful use program, modifications for 2015 through 2017 and the 2015 Edition Health IT Certification Criteria. The proposals for the meaningful use modifications for 2015 through 2017 and Stage 3 were combined into a single final rule, which was published on the Federal Register. Under the final rule, Stage 3 is optional in 2017, and providers who elect to begin Stage 3 that year will be able to attest for a 90-day reporting period. It will be mandatory in 2018 and contains eight reporting objectives for eligible professionals and hospitals, more than 60% of which require interoperability, compared with 33% under Stage 2.

In its comments, the American Medical Association recommended CMS allow for additional flexibilities, including multiple methods to meet the meaningful use program goals, elimination of the pass-fail structure of the program, and removing threshold requirements for performance measures. Other comments of note include the Healthcare Information and Management Systems Society (HIMSS), which expressed support for the rule. HIMSS asked that any changes made by CMS be published by February 29, 2016, so participants have enough time to prepare for the transitional year in 2017.

Health IT Security Concerns in 2016

As legislation moves in Congress and regulatory comments are shaping future health IT policies, stakeholders are outlining some concerns with the security of health records and other health IT programs. According to a report from PricewaterhouseCoopers’ Health Research Institute, the adoption and use of new health care technologies will help drive several new industry trends in 2016. During the year, many consumers will have their first video consults, be prescribed their first health apps, and use smartphones and diagnostic tools for the first time. Cybersecurity will be a major concern for these apps; however, they will help move the health care system away from the fee-for-service model as wireless technology improves. Remote technology will allow physicians to better manage health needs, and new databases will afford health systems the opportunity to analyze large and diverse datasets.

A report from Experian also raises security concerns, noting that data breaches will remain a top concern for the health care industry in 2016. According to the report, 90% of health care organizations have experienced a data breach within the last two years. Attacks will likely be focused on large insurers and health systems; however, “smaller incidents caused by employee negligence will also continue to compromise millions of records each year.”

Other reports echoing health IT security concerns go one step further. DirectTrust, a three-year old, non-profit, competitively neutral, self-regulatory entity created by and for participants in the Direct community, including Health Internet Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs), suggests that Meaningful Use faces an “uncertain future” in 2016 and 2017. They speculate that it could be delayed or entirely phased out. It cites physician groups concerned that Stage 3 does not align well with new health care requirements in the MACRA (Medicare Access and CHIP Reauthorization Act of 2015) law. Providers may be willing to face penalties instead of spending more money on health IT that they may not see adding value to their organization, the report also notes.

These reports come as Congress recently passed the Cybersecurity Act of 2015 as part of the 2016 omnibus spending package. The legislation requires the Department of Health and Human Services to provide the Senate HELP Committee and the House Energy and Commerce Committee with a report within one year. That report is to provide a clear statement concerning who is responsible for leading and coordinating efforts at HHS regarding cybersecurity threats in the healthcare industry and provide a plan from each relevant operating division and subdivision. The legislation also creates a healthcare industry cybersecurity task force.

January 29, 2016

Another Transparency Threat – Health Education Exchanges and Medical Identity Theft

We have previously drawn attention to some of the downsides of transparency as it relates to medical information. Those downsides typically revolve around the Sunshine Act and Open Payments data. However, there is another major concern about a yet another aspect of medical information transparency. Electronic health records, which allow a primary care physician to quickly send information to other physicians, are starting to become more prominent, easily accessible, and dangerous.

Health information exchanges (HIEs) allow doctors to share information amongst each other and help healthcare agencies to track and respond to emerging health threats. Storing patient medical records in the cloud instead of on-site helps cut down on IT costs and storage costs, and allows medical providers to focus on their primary mission of providing healthcare to patients.

While there are some positives to health records being easily accessible by medical professionals, medical data being so easily accessible also presents a huge attack surface for cyber thieves. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014 and those victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.

While the 2014 figures may astound you, The Washington Post reports that the Department of Health and Human Services (HHS) estimates over 120 million Americans have had some of their protected health information (PHI) compromised in data breaches since 2009.

Individual companies and agencies have reported their own data breaches of PHI as well. Excellus BlueCross BlueShield suffered a data breach that affected 10.5 million people; Premera had a breach that affected up to 11 million people; and the Office of Program Management breach affected up to 21.5 million. It is estimated that in total, as much as half of the United States population has had PHI compromised.

These data breaches are the results of a new form of cyber attack. While there isn't just one purpose or motivation behind cyber attacks, there are several plausible ones. One reason may be because when the cyber attackers steal medical identities, they are able to monetize the financial information included within them. Dwayne Melancon, chief technology officer with Tripwire, says that the healthcare industry is ahead of the retail industry, but behind the financial industry, when it comes to protecting consumer data. The growth of the Dark Web has provided a ready and simple market for thieves who sell financial and other personal information, such as medical records. As such, it is possible that cyber attackers are turning to an easier approach when it comes to taking your financial information.

Further, while financial information can be monetized almost immediately, medical records can take a bit longer to exploit. If someone seeking medical treatment is using health information of another patient to receive free medical care, they need to be sure their provider doesn't already know who the real patient is and that the identity they stole matches them and their health issues close enough so that the fraud will not be immediately detected.

It isn't just the possibility of free medical care that could be motivating healthcare cyber attackers. Personal medical information can also be useful to those perpetrating phishing attacks. Parents of children who are terminally ill who receive calls from their doctors, or others purporting to be linked to the doctor, are not likely to be as cautious when told their child has been recommended for a promising clinical trial, and may give financial information over the phone.

Another use for stolen health data is extortion. UCLA Health dealt with a data breach in July 2014, after which Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is to find personal health information on celebrities and hold that information for ransom or sell it to news organizations. He states that, "[t]he most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc."

Unfortunately, these data breaches are not always avoidable. Dwayne Melancon stated, "There is a tendency to say a company didn't know what they were doing. That is not always the case...In a lot of those cases it isn't negligence, its just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that."

When personal health information is exposed through breaches, patient lives can hang in the balance. It is important for all decision makers in healthcare organizations to understand these threats and work to combat them daily, from IT staff to privacy and compliance staff.

Newsletter


Preview | Powered by FeedBlitz

Search


 
Sponsors
August 2017
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31