The Washington Debrief  provides CHIME members weekly news and information related to important healthcare IT legislative, regulatory and political developments in Washington, D.C.

Volume 5, No. 40
November 7, 2017
MACRA & Appropriate Use

Key Takeaway: CMS finalizes second-year policies for physicians under MIPS and APMs and appropriate use policies.

Why It Matters: Last week, the Centers for Medicare and Medicaid Services (CMS) published two important, final rules with notable health IT changes.
  • Quality Payment Program (QPP): The final rule was published with comment for the second year of the Quality Payment Program (QPP), which comprises both the Medicare Incentive-based Program (MIPS) and the Advanced Alternative Payment Models (APMs). Notably, CMS finalized policy to allow clinicians the use of 2014 Edition and/or 2015 Certified Electronic Health Record Technology (CEHRT) in Year 2 in 2018. In August, CMS finalized for hospitals a similar policy. We are pleased to see CMS listened to the provider community and will continue allowing clinicians and hospitals to continue using 2014 CEHRT through 2018. As outlined in this new final rule, clinicians will essentially have another year to use the Advancing Care Information (ACI) transition measures. The final rule can be found here and CMS' fact sheet can be found here.

Leslie Krigstein
VP Congressional Affairs, CHIME

Mari Savickis
VP Federal Affairs, CHIME

Thoughts, Questions or Comments? Please contact  Leslie or Mari

Office Hours: 9 am - 5 pm

Appropriate Use: CMS also published the final physician fee schedule rule where they announced a longer transition pathway for meeting appropriate use requirements. A voluntary period of transition will start mid-2018 and run through 2019 before becoming mandatory in 2020. The final rule can be found here and the fact sheet here. The press release for both the MACRA rule and the physician fee schedule rule can be found here.

Senate REBOOT Group Reintroduces Meaningful Use Flexibility Bill

Key Takeaway: Last week the band of six Republican senators who have a long-formed health IT working group joined once again to reintroduce the Electronic Health Record (EHR) Regulatory Relief Act (S. 2059).

Why It Matters: The EHR Regulatory Relief Act would permanently implement a 90-day reporting period for Meaningful Use; remove the all-or-nothing construct; eliminate the mandate to make the program more stringent over time; and expand access to hardship exemptions through 2019.

CHIME enthusiastically supported similar legislation when it was introduced in 2016. The bill text is available here and summary here.
Meaningful Use Attestation Changes

Key Takeaway: Meaningful Use attestations will be submitted via the QualityNet portal starting in 2018; start preparing now.

Why It Matters: Beginning Jan. 2, 2018, eligible hospitals and critical access hospitals (CAHs) attesting to CMS will submit their 2017 Meaningful Use attestations through the QualityNet Secure Portal (QNet). Eligible hospitals and CAHs attesting to CMS must have an active and updated QNet account before submitting MU attestations. CMS recommends starting now that:
  • Eligible hospitals and CAHs attesting to CMS who are new to the QNet system need to enroll to create a QNet account and select the MU option.
  • Eligible hospitals and CAHs attesting to CMS who are existing QNet users need to select the MU option in their QNet accounts.
For a step-by-step guide to enrolling in QNet and adding the MU option to your QNet account, review the QualityNet Secure Portal Enrollment and Login User Guide.

For More Information 

Subscribe to the EHR Incentive Programs listserv

Q4 Value Set Update

Key Takeaway: CMS announces policy change on Q4 eCQM value sets following CHIME feedback.

Why It Matters: CMS announced late last week following feedback provided by CHIME that they are changing their policy around Q4 Quality value sets. They state, "reporting one quarter from 1st Quarter - 3rd Quarter 2017 would not necessitate integrating the 4th Quarter 2017 value set addendum." Earlier this fall we raised concerns that the agency's policy was not workable for many providers.

More information with CMS' detailed response can be found here.
House Bill Calls on HHS to Prioritize Cybersecurity, Provide Clarity to Industry

Key Takeaway: A bipartisan bill calls for a senior cybersecurity official at the Department of Health and Human Services (HHS) and requests a report to Congress on how HHS is helping the sector become more secure.

Why It Matters: The Health Care Industry Cybersecurity Task Force called for the elevation of a cybersecurity leader within HHS as well as enhanced coordination between the department's different operating divisions, both provisions of the legislation.

Last week, Representatives Billy Long (R-MO) and Doris Matsui (D-CA) introduced the HHS Cybersecurity Modernization Act (H.R. 4191) to improve cybersecurity within HHS and their ability to support the healthcare industry. The bill is an enhanced version of a bill introduced by the pair previously, that Marc Probst, then CHIME Board chair testified on in May 2016.

The HHS Cybersecurity Modernization Act provides HHS the authority to reorganize its cybersecurity personnel and require the department to develop and submit a plan regarding the following:
  • The internal coordination between HHS operating divisions (CMS, Food and Drug Administration, Office of the National Coordinator for Health IT) that have regulatory authority with regards to healthcare cybersecurity, and how those offices will coordinate their efforts to provide a cross-cutting response to modern cybersecurity challenges.
  • The role of HHS in securing its own internal information systems as compared to its role in providing guidance, information, education, training and assistance to the healthcare sector, and how it will differentiate between those two roles.
  • The challenges HHS faces as both the regulator and the Sector Specific Agency for healthcare, and how it will differentiate between these two roles.
Monthly OCR newsletter

Key Takeaway: Office for Civil Rights issues October newsletter focusing on protecting mobile devices.

Why It Matters: OCR reminds readers that there are risks to using mobile devices in the workplace. They state, "The use of mobile devices in the workplace can be convenient and productive, but organizations should realize the risks associated with increased usage of mobile devices - especially when mobile devices are used to create, receive, maintain or transmit electronic PHI (ePHI). Entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) must be sure to include mobile devices in their enterprise-wide risk analysis and take action(s) to reduce risks identified with the use of mobile devices to a reasonable and appropriate level."

They offer these tips for securing these devices:
  • Implement policies and procedures regarding the use of mobile devices in the work place - especially when used to create, receive, maintain or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.
A copy of their October newsletter on this topic may be found at OCR's cybersecurity guidance may be found at:
House VA Committee Considers Bill to Allow Providers to Practice Telemedicine Across State Lines

Key Takeaway: Last week the House Veterans Affairs Committee approved a CHIME-supported bill to allow providers within the Department of Veterans Affairs (VA) to treat patients via telemedicine across state lines.

Why It Matters: The VETS Act (H.R. 2123) would give the department legislative authority to carry out the proposal already signaled by the VA in their recent rule.

The Federal Trade Commission, like many provider and technology organizations including CHIME, voiced their support for the policy as well last week. The legislation was unanimously approved by the Committee and could tag-along with larger veterans healthcare package later this year.
Senate Hearing Examines Implementation of 21st Century Cures

Key Takeaway: The Senate Health, Education, Labor and Pensions (HELP) Committee explored how the health IT provisions of the 21st Century Cures Act were being implemented.

Why It Matters: Among the health IT provisions included in the bipartisan law passed last December were information blocking, patient matching and administrative burden reduction efforts to be carried out by the Department of Health and Human Services.

During the hearing entitled, " Implementation of the 21st Century Cures Act: Achieving the Promise of Health Information Technology," HELP committee members pressed witnesses from the Office of the National Coordinator for Health Information Technology (ONC), CMS and Office of the Inspector General (OIG) on the progress made to date on the directives delivered to Congress in the legislation late last year.

Concerning information blocking, both ONC and OIG representatives explained that meetings have been conducted with stakeholders and they are preparing for rulemaking to define what should not be considered information blocking.

ONC stated that the new Health IT Advisory Committee, the federal advisory committee, set up in the law to replace the HITECH-created Health IT Policy and Standards Committees, will likely begin meeting during the winter of 2018.

Reducing the regulatory burden on providers was a topic of discussion among committee members, including Chairman Lamar Alexander (R-TN). He voiced ongoing concern with the Meaningful Use program, especially the extreme hesitation he has heard from health systems about the move to Stage 3. Documentation burden dedication was also discussed by witnesses and members alike, with a recommendation to set a goal to reduce the overall percentage of time clinicians spend on documentation.

Senator Elizabeth Warren (D-MA) pressed witnesses on the importance of the patient matching provisions and continued efforts to reduce patient safety incidences caused by the inability to accurately identify patients. Dr. Jon White, Principal Deputy National Coordinator, ONC's witness highlighted CHIME's work on the National Patient Identification Challenge as an example of private sector leadership on the issue.

CHIME's summary of the health IT provisions of the 21st Century Cures Act is available here and the timeline set forth in the law can be found here.
Senators Introduce Bill on VA EHR Transition

Key Takeaway: Congressional interest peaked last week in the VA transition to new EHR system, ensuring intended timelines are maintained and is transparent, a demonstrated by a bill introduced last week.

Why It Matters: Earlier this year, the VA announced the acquisition of the same electronic health records system used by the Department of Defense (DoD.)

Senators Jon Tester (D-MT) and Richard Blumenthal (D-CT) introduced the Veterans' Electronic Health Record Modernization Oversight Act of 2017 to require the VA to provide a detailed plan about how it will ensure every veteran's medical records are available electronically and are easily shared across the health system. Similar concerns have been voiced by House members.

The legislation requires the VA to provide:
  • A comprehensive report on timelines, cost projections, risk management plans, and a plan for ensuring that the new record works with non-VA providers.
  • Quarterly updates on the project's implementation noting changes from the initial plan.
  • Prompt notice of delays, additional incurred cost, change in project scope, loss of clinical data, breach in patient privacy, disruption in patient care, or legal challenges.
White House Commission lays path for fighting epidemic

Key Takeaway: White House Commission on opioids releases final report. 

Why It Matters: Last week President Trump's opioid commission released their final report, complete with more than 50 recommendations detailing how to respond to the opioid crisis. The report also touched on fentanyl, a synthetic opioid that is 50 times more powerful than heroin and 100 times more powerful than morphine. It is also the leading cause of opioid overdose deaths.
  • Click here to read a copy of the commission's report.
  • Click here to learn about the Energy & Commerce Committee's past and ongoing efforts to combat the opioid crisis.
FDA Releases Guidance on Sharing Patient Information

Why It Matters: FDA notes in the guidance, "The Food and Drug Administration (FDA or "we") developed this guidance to clarify our position regarding manufacturers appropriately and responsibly sharing "patient-specific information" - information unique to an individual patient or unique to that patient's treatment or diagnosis that has been recorded, stored, processed, retrieved, and/or derived from a legally marketed medical device - with that patient at that patient's request. This guidance  provides information and recommendations to industry, healthcare providers, and FDA staff about the mechanisms and considerations for device manufacturers sharing such information with individual patients when they request it."
Click here to view our  CHIME Public Policy Playbookplaybook
College of Healthcare Information Management Executives (CHIME)
20 F Street NW | Suite 700 | Washington, DC 20001 |  (734) 665-0000 |