Nearly a third of physicians could be exempt from Medicare’s new merit-based incentive payment system under a final rule the CMS issued Friday for implementing the Medicare Access and CHIP Reauthorization Act.

The CMS also signaled it would broaden the opportunities for physicians to participate in alternative models that make them eligible for bigger rate increases and bonuses.

In April, the CMS released the proposed rule on MACRA, which replaced the old and flawed sustainable growth-rate formula for physician pay with a new method meant to shift physicians away from the fee-for-service model and onto a value-based payment system. To avoid penalties under MACRA, physicians will participate in one of two reimbursement tracks: a merit-based incentive payment system or advanced alternative payment models.

In the merit-based incentive payment system, known as MIPS, physician pay will be based on success in four performance categories: quality, resource use, clinical practice improvement and “advancing care information,” which is based on the meaningful-use program the government has used to decide whether doctors should be rewarded for using electronic health records.

The agency heeded the concerns of small practices and Congress about the framework’s impact on small practices and broadened its exclusion for providers who treat a low volume of Medicare patients from MIPS.

To help ease the impact on small providers, the CMS will exempt physician practices with less than $30,000 in Medicare charges or fewer than 100 unique Medicare patients per year. The draft rule set the threshold at $10,000 a year.

An analysis by the American Medical Association found that about 16% of all MIPS-eligible clinicians would be exempt under the proposed version of the rule. The threshold in the final rule would exclude 30% of physicians, according to the AMA analysis.

The CMS noted that more than 93% of Medicare Part B charges would still be subject to the incentive framework, which was devised to nudge physicians toward value-based care.

Acting CMS Administrator Andy Slavitt said in conference call with reporters that the thousands of comments received on the proposed rule could be summarized as: “Make the transition to MACRA as simple and as flexible as possible.”

The CMS said it would provide $100 million in technical assistance to clinicians participating in MIPS who are in small practices, rural areas and in areas with a shortage of health professionals.

The MACRA got rid of the “meaningful use” rule that the administration previously used to decide if providers should be rewarded for using electronic health records, but doctors will still be accountable for using health information technology under the “advancing care information” performance category in the rule that counts 25% towards a physician’s overall performance score, as was proposed initially.

Heeding calls for more flexibility, the CMS in the final rule said it will move away from the “all or nothing” approach previously used in EHR incentive programs. The rule reduces the total number of required measures under the category to five from 11 in the proposed rule. All other measures will be optional for reporting.

Required measures include security risk analysis, e-prescribing, providing patient access, sending summary of care and requesting and accepting summary of care. The required measures must be fulfilled for a minimum of 90 days to receive credit.

The CMS said that while public comments called for the category to allow for reporting on “use cases,” such as the use of EHRs to manage referrals and consultations, it did not include such policies in the final rule. However, in 2017 the CMS will add bonus points for improvement activities that use EHRs and for reporting to a public health or clinical data registry.

The CMS also said that eligible clinicians participating in MIPS must show that they are engaged in activities that support health care providers on the performance of certified electronic health record technology, such as cooperating with the ONC’s review of the technology, and that they are not blocking data sharing.

The final regulations also answer requests for lower minimum reporting thresholds. The agency originally wanted providers to report quality measures on 90% of their patients from all payers, and 80% of Medicare patients. Small providers argued they would have a harder time obtaining the information technology and data needed to meet that requirement. The final rule drops the Medicare threshold to 50%.

Between 592,000 and 642,000 clinicians, according to the rule, are expected to submit data for MIPS during the first performance year, which begins Jan. 1.

The CMS also said it was expanding opportunities to participate in programs that qualify as “advanced alternative payment models” under the law. Practices with a significant portion of their revenue under such a model are exempt from MIPS and qualify for larger rate increases and bonuses.

The agency now estimates that more than 125,000 clinicians will participate in advanced APMs for the 2018 performance year.

Slavitt said the CMS plans to develop more APMs through the CMS Innovation Center. “Ultimately, we believe that we’re not looking to transform the Medicare program in 2017, we’re looking to make a long-term program successful,” he said.

Article source:

read more

The New York-Presbyterian health system has created a platform to provide a variety of telehealth services to patients across its network and across the country.

New York-Presbyterian says its new NYP On Demand platform provides virtual emergency and will begin offering virtual urgent-care visits by the end of the summer. It anticipates the program will reduce wait times in their emergency department and provide patients with more convenient care options. The system says it is the first health system in New York to provide virtual ER services.

“We need to be able to improve access for our patients,” said Dr. Peter Fleischut, New York-Presbyterian’s chief innovation officer. “We need to make it easier for them to access the care they need.”

Hospitals and healthcare providers are increasingly harnessing telehealth platforms to augment their traditional care, provide patients with more convenient options and potentially reduce costs. A booming area for telemedicine is urgent care, where health systems could treat simple problems like a cough or runny nose cheaper, according to Dr. Alan Pitt, chief medical officer of telehealth company Avizia.

New York-Presbyterian wants to revamp how it provides emergency and urgent care and expand access to experts in the faculty practices at the health system’s two affiliated medical schools—Columbia University Medical Center and Weill Cornell Medical College.

For emergency care, some visitors to the emergency department at New York-Presbyterian Weill Cornell campus can now elect to receive a virtual visit from a physician rather than an in-person examination after their initial medical screening. Fleischut said the health system will be expanding the program to provide virtual urgent-care visits in patients’ homes across New York state by the end of the summer.

The telehealth platform will also allow New York-Presbyterian patients to make digital follow-up appointments starting this fall. It also will allow New York-Presbyterian doctors to digitally consult with specialists at other facilities within the network to provide more convenient care.

“We anticipate this is how we need to be operation in the future to engage with our patients,” Fleischut said. “I would guarantee that we will be adding services into this” platform.

New York-Presbyterian has also launched an initiative to provide patients across the country with digital second opinions in 80 medical specialties through the NYP On Demand platform. Rather than traveling to New York City to consult with experts from Columbia or Weill Cornell, patients can pay an $800 one-time fee to receive a second opinion from a New York-Presbyterian physician. The health system says more than 300 physicians are already participating in the program.

“At New York-Presbyterian, we are looking to redefine the intersection of technology and healthcare, and our new digital health platform is our way of strengthening traditional telehealth services,” said Dr. Steven Corwin, CEO of New York-Presbyterian.

Article source:

read more

Banner Health is contacting 3.7 million individuals whose personal information may have been accessed in a cyberattack that began on systems that process credit card payments for food and beverage purchases at Banner locations. The breach then expanded to include patient and health plan information.

The Phoenix-based health system, with locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming, first learned of the attack on July 7, according to a company statement. Around June 23, the attack began to target data from credit cards, including the cardholders’ names, card numbers, expiration dates and verification codes.

By July 13, an investigation revealed that the attackers “may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers,” the statement said. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers.”

Banner announced Wednesday that it is mailing letters to 3.7 million patients, health plan members and food service customers about the attack. The system has also hired a computer forensics firm, contacted law enforcement officials and is taking steps to prevent further attacks.

Bill Byron, vice president of public relations for Banner, said there was no evidence the information has been misused in any way. He added that further details may not be forthcoming.

“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” said Peter S. Fine, president and CEO of Banner Health.

Michael “Mac” McMillan, co-founder and CEO of security firm CynergisTek, said it was odd that the point of sale systems at Banner’s 27 food service locations that were affected appear to have been on the same network as clinical systems.

A 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches. While this might seem counterintuitive, the report continues, it shows that most cybercriminals are more interested in accessing a patient’s bank account than the details of electronic health records that might be stored in a file or database server.

At 3.7 million affected individuals, the Banner Health breach would be the eight largest on the “wall of shame” website that’s been kept by HHS’ Office for Civil Rights. The site lists all breaches of healthcare information involving 500 or more individuals since September 2009 when the Health Insurance Portability and Accountability Act breach notification rule went into effect.

By far the largest breach on the list is Anthem’s March 2015 cyberattack that affected the records of 78.8 million individuals. Seven of the top 10 breaches have been cyberattacks. All of those hacking breaches were reported either this year or last.

A list of the outlets that were affected can be found here.

Article source:

read more

For a hacker who’s looking to make money out of stolen personal information, healthcare systems and hospitals can be a one-stop shop.

Along with the usual names, addresses, dates of birth, Social Security numbers and claims information come credit card and banking account numbers used to process payments.

Cyber security experts will tell you the two types of information should be stored in computer systems completely unrelated and disconnected to avoid leaving either one vulnerable — something that seems to have happened to Banner Health.

The Arizona-based hospital chain this week said hackers tapped into credit and debit card information belonging to 3.7 million people through point of sale systems (POS) that process payment card data at dozens of food and beverage outlets serving Banner Health locations.

The hack occurred on June 17 and went undiscovered until July 7.

Six days later, Banner learned patient information and health plan records on its computer networks may also have been comprised.

Banner spokesman Bill Byron said the incident is under investigation and that details won’t be known or shared for weeks.

But the incident has left cybersecurity experts wondering if the healthcare industry, which in the past few years has been hit mercilessly with data breaches and ransomware threats, now has yet another weak spot — the point of sale system.

The vast majority of these systems that process credit card payments are brought in by third-party vendors, hooked up to a cash register, plugged into the internet and “away they go,” said Chris Ensey, chief operating officer of Dunbar Security Solutions.

“(POS systems) are often treated as somebody else’s stuff,” he said, adding that the healthcare organizations view the vendors as responsible for the systems.

But each new third-party services provider creates yet another entry point for hackers, he said.

And in fact, a 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches.

It’s important to conduct audits to review how the systems are interoperating and what vulnerabilities they might reveal during the set-up, Ensey said.

Cyber security expert Jeremy King said hackers are data omnivores who will feast on one system for one type of data then rummage around for different data, as long as it’s marketable.

Criminals regard healthcare records as more valuable than credit card records because their data elements, such as DOBs, addresses and Social Security numbers, can’t be readily changed. A credit card, on the other hand, can be cancelled once a breach has been discovered.

Last month, a hacker was spotted on the black market offering to sell nearly 10 million patient records for $880,000. A lot of criminals who steal credit card account information will use it themselves for fraudulent purchases or sell it.

Hackers can get anywhere from $5 for the card number to $1,000 for the information contained in account balances, according to Business Insider.

“It’s big money,” King said.

King, who is international director of the Payment Card Industry Security Standards Council, said it’s important to maintain a firewall between POS systems and other information networks.

“Segmentation is a way to try and reduce your risk,” he said. “Even then, you’ve got to make sure you do that segmentation correctly, you’ve got the systems in place and you test it.”

King also advises access to credit card systems be on a “need-to-know” basis.

Now, just because Banner’s POS system breach was discovered first doesn’t mean that was the system that was first hacked, said King. “The forensic investigators will find that out in time.”

Byron, the Banner spokesman, said, so far, there is no evidence indicating any of its data were removed or “misused in any way.”

Banner’s breach is the 8th largest on the online “wall of shame” kept by HHS. The site lists all breaches of healthcare information involving 500 or more individuals since 2009.

By far the largest breach on the list was Anthem’s in 2015. The cyberattack comprised the records of 78.8 million individuals. More than 114.1 million individuals’ records have been exposed in the past two years.

Article source:

read more


On Tuesday, May 17, the Health IT Policy Committee and Standards Committee, Federal Advisory Committees to the Office of the National Coordinator for Health IT (ONC), convened for an in-person joint meeting. Three new members were welcomed to the Health IT Policy Committee; Carolyn Petersen with Mayo Clinic Global Business Services, Karen van Caulil with the Florida Health Care Coalition; and James Ferguson with Kaiser Permanente.

Kate Goodrich, Director, Center for Clinical Standards and Quality at CMS, provided a presentation on MACRA and Delivery System Reform. Dr. Goodrich gave a high level overview of the proposed rule to include a look into the quality payment program, Advanced Payment Models (APMs), MIPS, and a deeper dive into the advancing care information performance category within MIPS. For additional information and instructions on how to submit comments to the proposed MACRA rule by the June 27, 2016 deadline, please visit the CMS website.

Steve Posnack, Director of the Office of Standards and Technology with ONC, presented on two funding opportunity announcements to include the High Impact Pilot (HIP) and Standards Exploration Awards (SEA). Three to seven HIP awards, expected to range from $100,000 to $500,000 each, and three to five SEA awards, expected to range from $50,000 to $100,000 each, will be awarded. Interested applicants are encouraged to attend the Information Sessions on May 23 (HIP) or May 26 (SEA).  For more information, visit the ONC website.

The Precision Medicine Task Force, co-chaired by Leslie Kelly Hall with Healthwise and Andrew Wiesenthal with Deloitte Consulting, LLP, presented final Task Force recommendations. The PMI Task Force recommendations identify three interoperability pathways that are critical to the Precision Medicine Initiative (PMI).  The three pathways include one that focuses on EHR data; a pathway that enables data gathering from other independent non-provider sources such as labs, PBMs, and retail pharmacies; and a third pathway to accelerate the ability to return an individual participant’s aggregated data from multiple sources and eventually research results. Final recommendations were approved by the Joint Committee and will be forwarded to ONC for review.

The API Task Force co-chaired by Josh Mandel with Harvard Medical School and Meg Marshall with Cerner Corporation presented final recommendations from the Task Force to the Joint Committee. The recommendations were broken down into 8 generic use case topics: Types of apps and organizations who provide them; app registration; endorsement/certification of apps; communication of the app’s privacy policies; patient authorization framework; limitations and safeguards on sharing; auditing and accounting for disclosures; and identity proofing, user authentication, and app authentication. Recommendations were approved by a narrow margin due to privacy and security concerns.
The next Joint Committee meeting will be a virtual meeting on June 8, 2016.

Article source:

read more