Network Infrastructure
The CERT Division of Carnegie Mellon's Software Engineering Institute has released its list of 10 technologies emerging in the next five years with the greatest vulnerabilities in terms of cybersecurity, finance, personal health and safety.
Implementation of MACRA will impact not only physicians, but also the hospitals with whom they partner, the American Hospital Association told Andy Slavitt, acting administrator of CMS, and the U.S. House Ways and Means Subcommittee on Health on Wednesday.
Health Subcommittee members met with Slavitt Wednesday on the implementation of the Medicare Access and the CHIP Reauthorization Act of 2015.
MACRA's Quality Payment Program, released by CMS on April 27, consolidates a patchwork of programs into two paths for physicians receiving Medicare payments: the Merit-based Incentive Payment Systems (MIPS); and an Advanced Alternative Payment Model (APM).
The AHA said it applauds MACRA's streamlining of the physician reporting burden, but still has concerns, especially for smaller practices, and is disappointed the federal government is providing no financial incentives for upfront investments in technology to meet the demands of implementation.
The estimated investment is $11.6 million for a small accountable care organization and $26.1 million for a medium ACO, the AHA said.
[See also: A deep dive on the 'overwhelmingly complex' MACRA proposed rule.]
"Hospitals that employ physicians directly may bear the cost of implementation of an ongoing compliance with the new physician performance reporting requirements under the Merit-based Incentive Payment Systems, as well as be at risk for any payment adjustments," the AHA said in a statement. "Moreover, hospitals may be called upon to participate in alternative payment models so that the physicians with whom they partner can qualify for bonus payments and exemption from MIPS reporting requirements that accompanies the APM 'track.'"
House Ways and Means Subcommittee on Health Chairman Pat Tiberi, R-Ohio, asked Slavitt about concerns he's heard about the difficulty smaller practices may have coming into compliance, saying the rural provider, and one or two-person provider group "has a bunch of angst right now."
Slavitt said the data shows that smaller and solo practices can succeed as well as physicians in larger-size groups as long as they report. It's up to CMS to make the reporting burden as easy as possible, Slavitt said.
"Importantly we are looking for additional steps and ideas as people review the rules, but I will say that we are focusing on technical assistance, providing access to medical home models, opportunities to report in groups and using a reporting process that automatically feeds data, reduces the number of measures and overall lowers the burden for small practices," Slavitt said.
Small physicians can report in groups and other physicians may not have to report at all because they're under a minimum threshold for the number of Medicare patients they see, Slavitt said.
Slavitt said he's heard from physicians that they want to focus on care, not reporting.
Congress has provided funding for MACRA technical assistance to small practices, rural practices and others, he said.
MACRA replaces the sustainable growth rate and changes the way physicians and providers are paid, moving the healthcare system closer to CMS's goal of tying 50 percent of Medicare payments to alternative payment models by 2018.
CMS is taking comment on the MACRA proposal for 60 days.
"Success will come from adopting approaches that are practice-driven," Slavitt said. "It is our intent to align the MIPS and the Advanced APM components of the Quality Payment Program, allowing maximum flexibility for clinicians to switch between MIPS and participation in Advanced APMS based on what works best for them and their patients."
To spur motivation, MACRA established an 11-member independent advisory committee, the Physician-Focused Payment Model Technical Advisory Committee, PTAC, that will meet quarterly to review payment models.
[See also: A deep dive on the 'overwhelmingly complex' MACRA proposed rule.]
The AHA has formed its own clinical advisory group to identify important policy and operational implications of MIPS and APMS for hospitals.
The AHA recommends hospital-based physicians be able to use their hospital's quality reporting and pay-for-performance program to measure performance in MIPS; employ risk adjustment rigorously, including for sociodemographics to ensure providers do not perform poorly simply because they care for more complex patients; and align EHR Incentive Program changes for physicians with those of eligible hospitals.
The AHA applauded CMS's proposal to reduce the number of measures for quality reporting from nine to six, and also for its recent work with private insurers and physician groups to reach agreement on a common set of physician quality measures that can be used in both CMS and private payer pay-for-performance programs.
"Physicians and hospitals alike spend significant resources reporting on multiple versions of measures assessing the same aspect of care to meet the differing requirements of CMS and individual private payers," the AHA said.
The AHA is disappointed CMS has proposed a narrow definition of financial risk in advanced APMs for purposes of MACRA bonus payments, in not recognizing the upfront investment made by providers to implement alternative payment models.
The AHA also said fraud and abuse laws need to be modified for a "legal safe zone" where physicians and hospitals can share information
Twitter: @SusanJMorse
Nashville-based Ardent Health Services, which operates hospitals in Oklahoma, New Mexico and Texas, plans to unite all its hospitals and physician groups on an Epic Systems EHR platform.
LOS ANGELES — Building on several best practices and basic blocking and tackling of cybersecurity, healthcare organizations must also take a higher-level view to effectively address the problems of today.
“Cybersecurity could not be more important. The breaches continue to happen, in the federal government, the private sector, it’s all over,” said Ronald Ross, a fellow and data scientist at the National Institute of Standards and Technology here on Monday at the Privacy and Security Forum.
In addition to outlining the new security engineering guidance document that NIST released on May 4, 2016, which he described as “the most important, most transformational,” he has worked on at NIST, Ross offered that high-level solution.
“Leadership, governance, and accountability will solve 90 percent of our cyberbreaches,” Ross said.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Symantec health information technology officer David Finn agreed, saying that a strong leader with governance in place can then hold people accountable when those policies and procedures are not working.
“Governance has to include the CEO, CFO, the board,” Finn added. “Because that’s the only way it works.”
That approach should take into account: expenditures, insurance, regulatory compliance and “all the things that companies do to mitigate risk,” said PwC managing director Lisa Gallagher.
Kyle Gilliland, director of information security at Huntington Hospital said that healthcare entities cannot simply buy security.
“It starts with taking a look at your business needs and trying to build security into those,” Gilliland said.
Ross also said cybersecurity needs to be proactive, not reactive, and that healthcare organizations should build security into every facet of their business — and explained that when NIST was working on the new document, it reached out to engineers who build bridges, planes and other large systems to understand and incorporate their best practices.
[Also: NIST to release new guidance for strengthening hospital cybersecurity]
“When a plane crashes or a bridge collapses, the first thing we do is call the engineers to find out why it happened,” Ross explained.
In the event of a data breach, however, healthcare organizations typically collect more threat intelligence, rather than actually understanding their own weaknesses to improve upon those.
NIST’s new guidelines can help lead entities in that direction, though Ross said regardless of which framework a hospital chooses, the best tactic is to pick one the organization understands, is comfortable with, and can execute against.
“The only way to improve security is to architect and engineer your system,” Ross said. “You have to use engineering techniques to limit the damage adversaries can do.”
Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com
Like Healthcare IT News on Facebook and LinkedIn
"With respect to some business practices: It's time to lead, follow or get out of the way," CMS Acting Administrator Andy Slavitt said at the 2016 Health Datapalooza in Washington, D.C.
"If you want to lead the way with innovations that help consumers, great; if you want to follow by using established standards for data and measurement and technology, also great," he added. "If you have a business model which relies on silo-ing data, not using standards or not allowing data to follow the needs of patients – pick a new business model or pick a new business."
On the heels of the April announcement of the proposed MACRA ruling, Slavitt spoke to healthcare innovators, industry leaders and developers early Tuesday evening. And while he had no further news to share with the specifics of the proposal, it was clear his intentions were firm.
"What Vice President Biden said should stick with us: As taxpayers, we did not spend $35 billion so companies could build their own silos," Slavitt said. "At this stage, there's no room for business practices that don’t match the need of patients."
On the forefront of Slavitt's thoughts were patients with the least access to care and an "obsession with a plight of the independent physician."
However, "physicians are baffled by what feels like the 'physician data paradox.' They're overloaded on data entry and yet rampantly under-informed," Slavitt said. And the majority of providers are seeing a chasm between the time needed to invest in making the IT work and the actual positive results within their practices.
"Technology isn’t doing the things we know it can," he added. "Help us make smarter decisions, reduce our wasted time, help us communicate or understand what to expect next."
While these issues are troubling, according to Slavitt, the solution isn't the need for more IT inventions. But rather five crucial steps to initiate change in the healthcare industry: the massive release of data; changing incentives to reward providers for patient outcomes; creating "core" quality measures across all payers; advancing interoperability; and the proposed replacement of meaningful use.
"These steps are designed to make it easier for you to innovate, to open up competition and to move the focus from designing around regulations, to allowing you to design around patients’ and physicians’ needs," Slavitt said. "The opportunity for you to transform healthcare into an information industry has never been more ripe or more urgent."
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com
Like Healthcare IT News on Facebook and LinkedIn
The American Dental Association unwittingly sent malware-infected USB thumb drives to dental offices nationwide, the ADA confirmed today.
Adam Landman, MD, will take the reins as chief information officer at Boston's Brigham and Women's Health Care, effective May 2.
Stolen credentials, privilege misuse and miscellaneous errors were the three biggest causes for health data breaches in 2015, according to the 9th annual Verizon Data Breach Investigations Report released Tuesday.
There are day-to-day blocking and tackling tactics that every healthcare organization should be doing right now to reasonably address the current security threat landscape.
Electronic Health Records
Officials uncovered 'significant risks' and irregularities during rollout, raising concerns about a viable final product, a spokesperson says.