Medicare's New Physician Payment Plan: Impact on SecurityAnalyzing Proposal to End Part of HITECH Act's EHR Incentive Program
Proposed new federal regulations would end the HITECH Act electronic health records "meaningful use" incentive program for physicians treating Medicare patients and replace it with a "simplified" program as part of a sweeping payment revamp. Under the proposal, the meaningful use program would remain in place for hospitals and for clinicians receiving incentives payments from the Medicaid program.
The changes are aimed at paying Medicare clinicians based less on volume - as is mostly the case today - and more on quality and coordination of patient care that is enabled, in part, through secure health information sharing.
The proposed Medicare payment revamp for physicians would not significantly enhance the requirements related to privacy and security of patient information under the HITECH Act meaningful use program. The proposal, however, does include provisions designed to discourage the blocking of secure patient records exchange.
"The proposal does not signal an expectation of significant new attention to privacy or security of electronic protected health information," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "There are no provisions in the proposed rule that address the threats posed by cybersecurity vulnerabilities, nothing to help hospitals or providers fend off hackers or ransomware. You get the feeling that CMS [the Center for Medicare & Medicaid Services] believes that the threat posed by cyber criminals is somebody else's problem."
New Payment Mechanisms
On April 27, the Department of Health and Human Services issued a 962-page proposed rule for payment reforms related to the Medicare Access and CHIP Reauthorization Act of 2015. The proposed rule is expected to be published in the Federal Register on May 9 with public comment accepted by HHS until June 26.
Under the proposal, the new Medicare payment program, which would offer physicians two primary payment options, would take effect Jan. 1, 2017.
Advancing Care Information
Under one of the proposed payment revamp options, known as the Merit-based Incentive Payment System, or MIPS, Medicare clinicians would be paid, in part, for providing "high value care" based on four performance categories: advancing care information, clinical practice improvement activities, quality and cost. The "advancing care information" category would replace the current meaningful use program for Medicare clinicians, HHS explains.
"For this category, clinicians would choose to report customizable measures that reflect how they use technology in their day-to-day practice, with a particular emphasis on interoperability and information exchange," HHS notes. "Unlike the existing reporting program, this category would not require all-or-nothing EHR measurement or redundant quality reporting."
Under the advancing care information category, Medicare clinicians would need to report measurements of six key objectives:
- Protecting patient health information by performing a security risk assessment;
- Using electronic prescribing;
- Providing patients with electronic access to health information and patient-specific education;
- Coordinating care through patient engagement, including offering view/download/transmit functions for their records as well as secure messaging and accommodating patient-generated health data in digitized records;
- Participating in health information exchange;
- Participating in public health and clinical data registry reporting, including for patient immunization and syndromic surveillance.
The proposed rule "builds on the success" of the HITECH Act meaningful use program, Karen DeSalvo, M.D., national coordinator for health IT, said at an April 27 press conference.
Nearly all hospitals and about 75 percent of doctors' offices in the U.S. are using EHR systems, in large part due to the HITECH Act's incentive payments, she noted. The program has paid out more than $30 billion in incentives through Medicare and Medicaid.
Protecting patient information is part of the base expectations of the advancing care information objectives, she said.
Under the proposed rule, DeSalvo said, "There is an expectation they [Medicare physicians] will be using certified health information technology to improve the care of patients."
Under the HITECH Act, DeSalvo's office has been certifying EHRs as meeting a variety of standards, including data security measures.
Fighting Information Blocking
Under the proposed regulations, Medicare physicians would be required to attest that they "did not knowingly and willfully" limit or restrict the compatibility or interoperability of certified EHRs, impeding patient record sharing.
Physicians also would have to attest that they "responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information, including from patients, healthcare providers and other persons, regardless of the requestor's affiliation or technology vendor."
These provisions address concerns of federal regulators, as well as Congress, that some health information exchange is intentionally and unreasonably blocked by healthcare organizations, technology services providers and EHR vendors for reasons ranging from competitive issues to misunderstandings about the HIPAA Privacy Rule (see Overcoming Health Info Exchange Blocking).
Issues surrounding information blocking are often "subjective" and that could make enforcement by regulators difficult, says Tom Walsh, founder of security consulting firm, tw-Security. "Certain security controls may cause some unintentional consequences," he notes. "For example, accidentally blocking a legitimate inbound or outbound message. Could a government auditor claim the organization was "participating in information blocking?'"
Holtzman of CynergisTek notes that the proposed regulations would carry over the current HITECH meaningful use privacy and security objectives.
"Like in meaningful use, [the new regulations] would require participants to attest that they are performing an information security risk assessment on their [EHR system] ... and have a risk management plan to correct deficiencies to safeguards for e-PHI identified in the risk assessment," he notes.
Under the proposed regulations, CMS would require physicians to adopt the equivalent of the HITECH meaningful use Stage 3 standards in 2018, using EHRs that are certified to ONC's 2015 Edition standards, Holtzman notes.
Holtzman is skeptical a final rule will be completed and enacted before a new president takes office in January.
"This proposed rule faces an uncertain future because of the many controversial changes it makes in how physicians would be paid, as well as the timing of the proposal, so close to the end of the current administration," he says. "Realistically, it is not at all clear when this will be adopted and what the final form will look like."
John Halamka, CIO at Beth Israel Deaconess HealthCare, an integrated health delivery network serving the Boston area, offers a more optimistic view.
"Since it's a proposed rule, the key is to watch for revisions as the rule is finalized," he says. "Generally that takes about six months, so there is a chance we'll have a new regulation before the election."