The Federal Information Security Management Act (FISMA) is the law under which Federal agencies and their departments are held accountable for the security of their IT. Under the current system, every three years agencies are required by FISMA to reconfirm the status and security of their IT systems and processes using what is effectively a rubber-stamp check-the-box process to attest that all due diligence was performed, without any monitoring or verification.
On December 10-11, Congress enacted reforms to FISMA which would see this process change from a tri-annual event to one of continuous authorization and ongoing monitoring. Those changes are heading up Capitol Hill to the White House and will be the first major change to cybersecurity legislation since FISMA was originally enacted in 2002, twelve years ago.
The FISMA reforms still require departments to self-monitor and attestation remains the submission vector. Agencies are simply tasked with ongoing process review. This new system should mean that the Federal agencies will stay current, and ahead of the ever-increasingly rapid changes of the IT technology wave.
The department responsible for the Cybersecurity Framework, NIST, has documented new controls and assessment guidance to help agencies implement the new reforms. NIST Fellow Ron Ross, chief author of the institute's risk assessment guidance, says "The most important feature in the new guidance is that it's going to support this whole transition to ongoing authorization and continuous monitoring".
Featuring prominently in the proposed guidelines are security risk assessments and Privacy Plans, which remain key factors that must be implemented at all federal levels and approved by management as part of the process.
On Monday December 1st, the Centers for Medicare and Medicaid (CMS) Services released a 429 page proposal which if adopted will restructure the Medicare Shared Savings Program (MSSP) to give program participants up to an extra three years of grace before incurring performance penalties. This delay, in conjunction with the offering of an alternate model, is hoped to encourage Accountable Care Organizations (ACO's) to come on board and sign up for the Medicare financial incentive program for ACO’s.
An ACO is basically a collective, where all stakeholder participants (doctors, hospitals, other healthcare practitioners) coordinate purchases within their group, with the objective of reduced healthcare costs and associated improvement of patient outcomes. Cost benefits are shared among the members of the ACO, as are penalties. Both are based on whether performance benchmarks for quality of care are met, or missed.
The new model, Track 3, offers the option of greater savings, at the risk of greater penalties. In brief, Track 3 would allow ACO's to retain up to 75 percent of incentive payments while losing up to 15 percent for any excessive spending.
The National Association of ACO's said that while it is pleased to see CMS exploring alternate benchmark models it also wants to see changes to the existing tracks. In a prepared statement the Association said "Most disappointing is that ACOs who elect to stay in the program for three more years under the one-sided risk track will have a reduced sharing formula of 40-60 instead of 50-50. This combined effect will not sustain the one-sided program and result in sufficient success for ACOs to convert to two-sided. We have argued that for any two-sided ACO program to succeed there must be a sustainable business model for the one-sided track first. Most providers will not opt for two-sided track without a positive experience in a one-sided program."
A core requirement for Meaningful Use Stage 2 incentive payments is for providers to enable patients to access their own health data online. How the provider makes this data available is up to them. But people don't want to do it. And we can't make them.
CMS requires that 50% of all unique patients are provided online access to their health information. That part is, relatively speaking, easy. CMS also requires that more than 5% of patients actually access that data, and can be shown to have done so. That part, not so easy.
Not because we cannot measure how many patients access the data. But because the majority of patients do not like accessing their data over what many perceive as insecure channels.
A CMS survey of over 2000 patients reveals that almost 75% were ‘very or somewhat’ concerned about the privacy and security of their medical records. Being able to access data securely plays a pivotal role in patient perceptions and has put many off the idea completely. Also of concern, at least 10% of those respondents confirmed that they deliberately chose to withhold information from their primary healthcare providers, in an attempt to limit any fallout from a possible future data breach. These numbers mirror a 2013 Harvard study, though Harvard surveyed 1500 and found that 12% of respondents withheld information.
Weekly headlines in the news about the latest security breaches do nothing to allay patient unease and concerns about their online security. Although many providers are now meeting the first of the Stage 2 requirements by providing patients with sufficient access, this reluctance among their patients may mean that many will fall short of the 5% access requirement for Stage 2 incentive payments. 75% is a very large number of patients to persuade that they can indeed safely access their data.
As the saying goes, you can lead a horse to water but you can't make it drink.
The Medical Group Management Association (MGMA) annual conference takes place October 26-29 at the Las Vegas Convention Center (3150 Paradise Road, Las Vegas, NV 89109.)
The conference, theme title for this year "Always Forward", has over 100 sessions with daily keynotes focussed on success and growth. Workshops and seminars offer learning and networking opportunities to help practitioners step up to the next level of business and achievement. Full details available on the MGMA web site.
The co-pay portion of patient invoicing accounts for up to 30% of practice revenues per annum. For many reasons, some of those co-pays do not get paid for 30, 60, or even 90 days. Some are sold on to collection agencies at cents on the dollar, and some outstanding balances are eventually written off totally as bad debt. This is a cost of doing business which contributes to the next year's increase in premiums and charges. And so the cycle continues, year on year. Why?
When patients first present, they are concerned primarily for their specific health issues. Paying for treatment is often a secondary consideration, something they will worry about later. Also, insurance plans are complicated things and many really do not understand all those complexities. This is an issue perhaps compounded by the nature of their ailments (particularly in the fields of behavioral health and addiction treatment).
As such, it can come as some surprise when patients get their bill. It is not until they see the paperwork that they realise how much they personally owe, and only then that they realise they cannot afford to pay the piper.
Providers can help themselves, and help their patients, by taking on the challenge directly. By educating patients on their accountabilities up front, by advising them of available payment options, and by setting out clearly defined expectations early in treatment, providers can engage their patients pro-actively and get their informed and incentivized buy-in.
Getting that elephant out of the room early in proceedings, far from being mercenary or harsh, is actually a patient service which could be considered part of the treatment process. Removing the underlying, ongoing stress of 'I don't understand this. How am I ever going to pay for this...' is better for everybody, both financially and in terms of patient health: Stress is not good, as we know. The net result of elephant removal is that patients will be better prepared, more able and more willing to meet their co-pay requirements. Everybody wins.
Have practice staff look at the practice figures. Show them the losses. Seeing actual numbers will give them a stark understanding of the actualities of the business they work for, and engage everybody in actively working to resolve the issue. It's a really great team-builder.
Determine what payment options are acceptable to you. Work out schedules and details. Once you are happy, put that information into pamphlets which can be handed out to patients with their registration forms. Have staff on hand that can explain the pamphlets if required. Put it on your web site and your waiting room walls. The point is, there is nothing to hide here, so make the information widely available. Things cost money. People get that. This kind of open-information payment policy takes co-pay from being a dirty word to being any other issue which can be discussed openly with practice staff.
Take away the secrecy and the fear, and patients will work to meet their mutually agreed obligations. This in turn helps to reduce that 30% loss, perhaps allowing the practice to reinvest the reclaimed revenue into some much-needed resources or equipment. Again, everybody wins.
Announced on Friday November 1, the Centers for Medicare and Medicaid (CMS) final regulations for the Medicare Physician Fee Schedule contain changes which will take effect on January 1, 2015.
Those changes include an increase in coverage for wellness and behavioral health, one of which will permit physicians to invoice $40 per month for patients suffering more than one chronic condition, that they have not seen physically.
A notable amendment to the final rule sees CMS easing the EHR requirement for eligibility to now permit submissions from both 2011 AND 2014 certified EHR's. Either certification will be allowed when claiming chronic care management payments during the 2015 fiscal year. This is in response to some provider concerns about the overall interoperability of their current EHR system, which may not prove flexible enough to support chronic care management services effectively.
Also, the CMS rules address the Affordable Care Sunshine Act in several key ways, particularly exemptions. Payments associated with accredited continuing medical education are no longer exempt and must be declared. CMS advises that group purchasing organizations and affected manufacturers will now be required to report any compensation given to physician speakers at educational events, in the majority of cases. The stated intent is to clarify the indirect payments which must now be reported to CMS when medical education is underwritten by stakeholders.
In an open letter to the Centers for Medicare and Medicaid Services (CMS) dated October 21, 2014, the American Medical Association (AMA) expressed deep concerns for the future of senior healthcare, should the current legislative situation remain unchanged. The AMA fears that extensive cuts could see reimbursements to physicians drop by 13 percent by the end of this decade, with devastating results.
The letter states in part that, "These massive cuts threaten to destabilize physician practices and put the care of our nation's seniors at risk. They include a number of overlapping and often conflicting patchwork of laws and regulations such as the Meaningful Use program (MU), the Physician Quality Reporting System (PQRS), the Value-based Modifier Program (VBM) and the sequester. These cuts would pile on top of the potential 21 percent reduction that physicians could face if the flawed Sustainable Growth Rate (SGR) formula is not permanently repealed and replaced."
The AMA recommends that overlapping processes be streamlined, so providers will report data only once, rather than multiple times. This would have beneficial effects in many areas, releasing physician resources as well as governmental. American Medical Association President Robert M. Wah says, "These complicated overlapping requirements make it difficult for physicians to invest in health information technology and payment and delivery reforms that are believed necessary to improve care for patients. Government leaders should take the necessary steps to eliminate this regulatory nightmare and ensure America's seniors can continue to receive the high quality care they deserve." Wah goes on to say, "If physicians meet the protocol and standards for one quality program, they should be deemed successful for all."
The AMA offers the CMS some specific recommendations on how best to address MU, PQRS and BM issues. These recommendations can be found in the letter itself, available in entirety on the AMA web site