FINANCE: Fewer healthcare transactions, but value of deals surges
Latest rules delay some deadlines, push encryption
Digestion and some dyspepsia by health information technology users and leaders continued after three federal rules—running a combined 1,354 pages—were released by HHS late last month.
The largest of the three rules—and probably the most welcomed and least controversial—was the 672-page final rule covering the so-called Stage 2 meaningful-use criteria. It sets the number and height of hurdles providers must clear to declare themselves meaningful users of health IT and receive federal incentive payments under the American Recovery and Reinvestment Act.
Despite representing “a tsunami of change” for providers, there also is continuity between the architecture of the new Stage 2 rules and their predecessor Stage 1 rules released in 2010, according to Pat Wise, vice president for healthcare information systems for the Chicago-based Healthcare Information and Management Systems Society. Both create a set of core criteria that everyone must meet and a second set of “menu” criteria from which providers may choose their targets.
“Folks understand the concept, and I’m glad they’ve carried it forth,” Wise said. Most of what were menu items in Stage 1 have become core criteria in Stage 2, she said. “That gives the industry a road map as to what’s coming. There is a progress that providers can see and will likely move forward in Stage 3.”
A significant change in the new rule allows those early participants in the EHR incentive program a one-year extension of the Stage 1 criteria, Wise said. Initially, those providers who met Stage 1 criteria for 90 days in 2011 were to be required to meet a full year of Stage 2 criteria in fiscal 2013, beginning Oct. 1 this year for hospitals and calendar year 2013 for physicians and other “eligible professionals.” For both provider types, the new start dates for Stage 2 were pushed back one year.
In addition, providers meeting Stage 2 requirements in 2014 would have to do so for only 90 days, not the full year as was originally proposed. Also, office-based physicians, beginning no later than 2014, can submit in batches the required attestations that they’ve met their meaningful-use requirements, a relief for large group practices from wrangling physicians one-by-one to attest.
In a separate rule, the Office of the National Coordinator for Health Information Technology came up with its 2014 standards and certification criteria for EHRs.
The big news in the 474-page ONC rule is that to be eligible for use in the federal incentive payment program, EHRs must use defined sets of standards for message content and transport as well as clinical vocabularies so “everybody is speaking the same language with common code sets,” said Dr. John Halamka, chief information officer for Beth Israel Deaconess Medical Center, Boston. Halamka also serves as vice chairman of the federally chartered Health IT Standards Committee, which advised ONC on this rule.
“I think you’ve eliminated data silos,” Halamka said. “And they said that it couldn’t
happen in our lifetime.”
Providers are required to use software certified to the 2014 criteria by Oct. 1, 2013, (for hospitals) or by Jan. 1, 2014, (for physicians and other eligible professionals), but they can upgrade their EHRs to meet the new standards at any time.
ONC rulemakers “hit the balance fairly well,” Halamka said. “Some of the stuff is hard, but it’s doable.”
The meaningful-use rule also contains a subtle, but forceful, encouragement for hospitals, physicians and others who handle patient-identifiable records to take a new look at data encryption.
“Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices,” the CMS rule writers said. “Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element.”
Entities covered under the Health Insurance Portability and Accountability Act already must perform a security risk assessment, in which the use of encryption is “addressable,” which means “that you need to consider that control as part of your mitigating controls for your risk assess- ments,” according to Lisa Gallagher, senior director of privacy and security for HIMSS.
Finally, HHS issued a 208-page rule formally adopting what it had proposed earlier: to delay to Oct. 1, 2014, the start date for the national conversion to the ICD-10 family of diagnostic and procedural codes.
The American Medical Association remains wary of the planned ICD-10 compli- ance date. In June, its House of Delegates asked for an evaluation of the feasibility of skipping ICD-10 altogether and adopting ICD-11, which is under development and could be released as early as 2015. Previously, the AMA had asked for the CMS to push the ICD-10 compliance date back to 2015.
In the same rule as ICD-10, the CMS also created the framework for a long-delayed national identifier system for health plans, mandated by HIPAA.
AMA President Dr. Jeremy A. Lazarus, in a prepared statement, welcomed the plan identifier as “a meaningful step toward a streamlined billing system.” But Lazarus noted that over the past three years, the AMA has “strongly advocated” to “expand the scope” of the identifier “to include each entity in the healthcare billing and payment process.” That expansion extends to “a clear identification of a patient’s benefit plan and the relevant fee schedule,” Lazarus said.
The MGMA also wants a “more granular” identification system for plans and subplans, according to Robert Tennant, the organization’s senior policy adviser. HHS sees this rule as a beginning point, Tennant said, but “you ask yourself, when was this first mandated by Congress? It was 1996. And when is the compliance date? 2016. That’s 20 years. The administration has missed a huge opportunity to simplify the claims cycle. We’ve waited 20 years, and it’s still not going to help providers as much as they could.”