‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now

baby crying

Thousands of computers across the globe were “held hostage” during the recent WannaCry ransomware attacks that encrypted files on Microsoft Windows operating systems that had not been either patched or upgraded.  The dust has now settled, and what we have learned from those attacks is that they could have been prevented.

As a former hospital CIO, I am prepared to share ideas for how you can best protect your operations and the private, personal data of the patients in your care.

What exactly happened and why it matters

The perpetrators behind the WannaCry attack employed ransomware using what is known as an RSA 2048-bit cipher to encrypt files.  (A 128-bit cipher is considered secure to the point of being theoretically impenetrable by brute force—a typical bank uses 256-bit encryption technology.)  The attackers then required “ransom” in the form of a bitcoin payment, which if not made immediately, increased incrementally over the time that elapsed until payment was made.

The attack was significant because it exploited known vulnerabilities in the system and software—in other words, it wasn’t a “zero-day attack.”   And for that reason, there is no good justification as to why this shouldn’t have been prevented—this attack targeted the known weakness in the Windows XP operating system.

The impact was less severe here in the U.S. than in Europe.  That said, it’s still a major concern for healthcare professionals.  Primarily, because it is another successful attack against old hardware, unpatched software, and operating systems.  As providers and guardians of patients and their protected personal data, we must prioritize and avoid the “it will happen to the other guys, not me” mentality and quit tempting fate.

There are too many physician practices; small, medium, and large hospitals; academic medical centers; expansive integrated healthcare systems; and other healthcare partners who have yet to completely upgrade their Windows desktop environment to a supported operating system.  How many Windows XP machines, or just outdated machines, are sitting on your network right now?  Each and every one adds risk.  To effectively safeguard operations and patient data against attack, the nonchalance must stop.

Actions to take right now

  1. Scrap the old. Put pressure on vendors to move products from old to new operating systems.  This often is easier said than done for individuals in an immense industry, but there are steps that can protect operations and mitigate the risk of a perilous attack.  These go far beyond simply installing those patches regularly and emergency patches expediently.  If need be, get management involved in taking actionable steps to proactively set that tone.
  2. It’s time for a risk assessment and analysis. This will identify security gaps and provide detailed actionable steps to mitigate risk and align priorities.  The key point is making sure one doesn’t blindly walk through the documentation.  One recommendation is to consult the National Institute of Standards and Technology (NIST) Special Publication 800-30, commonly called NIST SP 800-30.  Starting with NIST, then applying the SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defense, is the best way to conduct the risk assessment and analysis.  One can even do this internally or enlist the aid of an IT professional if additional assistance is required.  The key is making sure your expert has experience in healthcare (e., don’t go to the local drive-thru burger joint for a seafood dinner).

Continue Reading

Taking a Closer Look at the MIPS Improvement Activities Component

Magnifying GlassWhile the Quality and Advancing Care Information components account for more significant percentages of a provider’s overall Merit-Based Incentive Payment Systems (MIPS) score (60% and 25%, respectively), one also needs to focus on the work required under the Clinical Practice Improvement Activities component, which comprises 15% of the MIPS score. The Centers for Medicare & Medicaid Services (CMS) recently published an Improvement Activities Fact Sheet detailing the requirements for this MIPS component.

For 2017, there are 92 activities across eight categories from which a provider may select.  The eight categories include: (1) achieving health equity, (2) behavioral and mental health, (3) beneficiary engagement, (4) care coordination, (5) emergency response and preparedness, (6) expanded practice access, (7) patient safety and practice assessment, and (8) population management.  A provider is not required to select activities from a specific category; instead, a provider should pursue those activities most relevant to his or her practice.

There are a possible 40 points available under the Improvement Activities component.  Each activity is assigned a rating of “medium” (78 activities) or “high” (14 activities).  Medium-rated activities are worth 10 points, while the high-rated activities are worth 20 points.  There is no “partial” credit; a provider will receive the full 10 or 20 points for those activities to which he or she attests to having performed.

The manner in which a provider may earn full credit under this component in 2017 varies:

  1. Providers who do not meet the criteria specified in items 2 to 5 will need to attest that they completed up to 4 improvement activities (40 points) for a minimum of 90 days during calendar year 2017.
  1. Groups with fewer than 15 participants and providers practicing in a rural or health professional shortage area will need to attest to completion of up to 2 activities for a minimum of 90 days during 2017. (The point value for each activity is doubled for these providers.)
  1. Providers practicing in certified patient-centered medical homes, comparable specialty practices, or an alternative payment model (APM) designated as a Medical Home Model (e.g., Comprehensive Primary Care Plus) will automatically earn full credit. For multi-practice groups, if only one practice within the group meets this criterion, the entire group still will receive full credit.
  1. Providers participating in a Medicare Shared Savings Program Track 1 ACO or in the Oncology Care Model (one-sided only) will automatically earn full credit under the APM scoring standard.
  1. Providers participating in other APMs will automatically earn half credit and may report additional activities to increase their scores.

Continue Reading

New Mandatory Episodic Payment Models: Slight Delay, But Not Going Away

Episodic PayDuring the last weeks of the Obama administration—on January 3, 2017—the Centers for Medicare & Medicaid Services published a final rule implementing new mandatory episodic payment models (the “EPM Rule”) to take effect July 1, 2017.  These models include the following:

Acute Myocardial Infarction (AMI) Model: Acute care hospitals in 98 selected metropolitan statistical areas (MSAs) will participate in retrospective episode-based payments for items and services that are related to AMI, beginning with a hospitalization and extending for 90 days following hospital discharge.

Coronary Artery Bypass Graft (CABG) Model:  The same hospitals participating in the AMI Model also will participate in retrospective episode-based payments for CABG surgeries.

Surgical Hip and Femur Fracture Treatment (SHFFT) Model:  Hospitals in the 67 selected MSAs that are part of the Comprehensive Care for Joint Replacement Program also will participate in retrospective episode-based payments for items and services related to surgeries for hip and femur fractures.

Cardiac Rehabilitation Incentive Payment Model:  Under this program, to be implemented in 90 selected MSAs (45 of which will also participate in the AMI and CABG Models), hospitals will receive retrospective incentive payments for beneficiary utilization of cardiac rehabilitation/intensive cardiac rehabilitation services for the first 90 days following an AMI or CABG episode of care.

At the time, some speculated these new programs would be dismantled by the Trump administration, given that the incoming Secretary of Health and Human Services, Dr. Tom Price, had been critical of such “mandatory innovation.”

On March 21, 2017, CMS published a notice delaying the EPM Rule’s effective date to October 1, 2017.  CMS also solicited comments as to whether the effective date should be further delayed to January 1, 2018.

Two months later, on May 19, CMS now has announced the EPM Rule will take effect January 1, 2018.  CMS agreed with numerous comments stating that hospitals “need time to evaluate the final model provisions, to develop specific EPM care plans, and to update health information technology, quality metrics, patient and family education, care management and discharge planning.”

Other commenters asked the agency to withdraw the EPM Rule or delay its effective date indefinitely.  In response, CMS made clear its intent to move forward with these new alternative payment models, stating:

We also note that we disagree with commenters who suggested that CMS withdraw these models altogether and/or delay them indefinitely. As we stated in the January 3, 2017, EPM final rule, we believe these models will further our goals of improving the efficiency and quality of care for Medicare beneficiaries receiving care for these common clinical conditions and procedures.

This crystal-clear statement should lay to rest any notion that the Trump administration intends to reverse or even slow the pace of change in Medicare payment policy.  Instead, the new leadership team is committed to pursuing the Triple Aim through payment models that incentivize improved quality and greater efficiency.

For providers in those MSAs in which these models will operate, now is the time to study the models’ details and commence work on re-designing these episodes of care.  Other providers should prepare for the eventual expansion of these and other episodic payment models, seeking opportunities with their own employee health plans, other employers, and other commercial payers.

May 31 Deadline for 2018 Medicare Shared Savings Program

SubmitAn organization interested in participating in the Medicare Shared Savings Program (MSSP) as an accountable care organization (ACO) must file a non-binding Notice of Intent to Apply (NOIA) by 12 Noon EDT on Wednesday, May 31, 2017.  Only those organizations that file a NOIA will be permitted to file an MSSP application, which will be due by 12 Noon EDT on Monday, July 31, 2017.

The NOIA must be submitted electronically.  Detailed instructions are available in the Centers for Medicare & Medicaid (CMS) NOIA Guidance Document.  Keep in mind the NOIA is non-binding; there is no prejudice to an organization that submits an NOI, but later elects not to file an MSSP application.  Nor is there any prejudice to an organization that files an MSSP application, but later elects not to sign a Participation Agreement.

Since the program’s inception in 2012, the number of MSSP ACOs has grown by approximately 100 each year.  We anticipate a bumper crop of MSSP ACOs this year, as the program has gone from cutting edge to mainstream.  Also, with 2017 as the first performance year under the new Merit-Based Incentive Payment System (MIPS), physicians now are seeing the advantages of MSSP participation vis-à-vis MIPS.

A physician participating in a Track 1 MSSP ACO (no downside risk) will not be required to report separately on the MIPS quality and improvement activities components.  Instead, CMS will convert the ACO’s overall performance into a MIPS composite score for participating physicians.  For a much more detailed explanation, please see our earlier blog post on the APM Scoring Standard.  A physician participating in a Track 1+, Track 2, or Track 3 MSSP ACO (each of which involves some downside risk) will be exempt from MIPS, and instead will receive a 5% bonus payment on Medicare Physician Fee Schedule Payments.

PYA has assisted numerous now-successful MSSP ACOs in evaluating the opportunity, filing the NOIA, preparing and submitting an MSSP application, and establishing ongoing operations.  For more information, contact Martie Ross or David McMillan, (800) 270-9629.

Am I Included in MIPS? New On-Line Lookup Tool

MIPSThe lookup tool is available on the Quality Payment Program website.  To use it, an individual provider need only enter his or her 10-digit NPI.  The lookup tool then generates a personalized report for the provider, stating whether he or she is excluded from MIPS under the low-volume threshold.

Specifically, the report lists each TIN under which the provider bills for Part B services.  Then, for each TIN, the report states whether the provider would meet the low-volume threshold if: (1) he or she elects to report individually; or (2) the TIN reports as a group.  In the case of the latter, the provider will be subject to MIPS, even if he or she would be excluded if reporting individually.

Keep in mind these MIPS reports are based on the first review period only.  If a provider is exempt from MIPS for the first review, he or she will not need to do anything else related to MIPS reporting for this calendar year.  If a provider is included in MIPS with the first review, he or she may be exempt with the second review of eligibility determinations at the end of 2017.

The lookup tool does not report a provider’s status with regard to the two other MIPS exceptions: (1) first-year participation in the Medicare program; and (2) participation in an Advanced Alternative Payment Model (APM).

According to news reports, 418,849 physicians and non-physician practitioners will be included in MIPS in 2017, and thus will be required to report performance data to avoid a 4% penalty on their 2019 Medicare Physician Fee Schedule payments.  Another 806,879 physicians and non-physician practitioners will be exempt from MIPS requirements.

In publishing the MIPS final rule last fall, CMS stated the low-volume threshold will be less generous in future years, meaning more physicians will be subject to MIPS.  We should know the numbers for next year soon, as CMS forwarded a proposed rule on 2018 MIPS updates to the Office of Management and Budget in late March, the last step prior to publication in the Federal Register.

Watch Your Mailbox! MIPS Participation Letters Coming Soon!

mailboxesIn early May, each practice enrolled in Medicare Part B  (identified by its Taxpayer Identification Number, or TIN) will receive from its Medicare Administrative Contractor a letter regarding the Merit-Based Incentive Payment System (MIPS) participation status of the TIN and each physician and non-physician practitioner who bills under that TIN (identified by National Provider Identifier, or NPI).  A recently released sample MIPS Participation Letter (including its two attachments) is available here.

The MIPS Participation Letters give each TIN a “heads up” regarding whether the TIN and/or each of the NPIs billing under the TIN qualify for the MIPS low-volume exception for performance year 2017 based on claims data from September 1, 2015, to August 31, 2016.  Note that an individual physician will not receive a separate letter—only the TIN under which he or she bills for Medicare Part B services will.

Included with each letter is an attachment stating whether the TIN meets the low-volume threshold, i.e., $30,000 or less in Medicare Part B allowable charges, or claims billed under the TIN for 100 or fewer Medicare Part B beneficiaries.  In this case, all NPIs billing under the TIN are excused from MIPS reporting requirements.

If the TIN exceeds the threshold, the attachment lists each NPI billing under the TIN that meets the threshold.  If the NPIs billing under the TIN elect to report on MIPS measures individually, those NPIs that meet the low-volume threshold are excused from reporting.

If, however, the TIN elects to report as a group, the low-volume NPIs’ data will be included in that reporting, and those physicians and non-physician practitioners will receive an individual MIPS score (albeit the same score as other NPIs billing under that TIN).  Keep in mind CMS will calculate a MIPS score for each NPI/TIN combination, and thus an NPI still may have to report under another TIN even if the NPI meets the low-volume threshold under one TIN.

The low-volume exception is not the only way in which a physician or non-physician practitioner may avoid MIPS reporting; the newly enrolled provider and Advanced APM exceptions also may apply.  While the MIPS Participation Letter discusses these exceptions, it does not report whether an NPI qualifies for either exception.

For more information on MIPS readiness, contact Martie Ross (mross@pyapc.com) or Lori Foley (lfoley@pyapc.com).  Both can be reached at (800) 270-9629.


MIPS Reporting: Getting Off on the Right Foot

A physician who did not report performance on quality measures to the Physician Quality Reporting System (PQRS) for 2015 now faces a 6% penalty on all Medicare Part B payments.  The same penalty will apply in 2018 for physicians who do not report performance for 2016.

In addition to PQRS penalties, a 3% penalty now is assessed against physicians who did not attest to meaningful use (MU) of an electronic health record (EHR) for 2015.   Again, the 3% MU penalty will apply in 2018 for physicians who did not attest for 2016.

For 2017, new reporting requirements under the Merit-Based Incentive Payment System (MIPS) will take the place of PQRS reporting and MU attestation.  If a physician elects not to report any data under MIPS for 2017, he or she will be subject to a 4% penalty on all Medicare Part B payments in 2019.

For a physician who will be subject to the maximum 9% penalty in 2018 for failure to both report performance to PQRS and attest to MU for 2016, MIPS will mean a 5% increase in Medicare Part B payments in 2019, assuming the physician does not report under MIPS for 2017.

By submitting only a minimum amount of 2017 performance data to CMS, however, a physician can avoid the 4% MIPS penalty in 2019.  To assist physicians in transitioning to MIPS, the Centers for Medicare & Medicaid Services (CMS) created the “Pick Your Pace” program for 2017.  A physician (either individually or as part of a group) can avoid the 4% penalty in 2019 simply by submitting data relating to a single quality measure or attesting to performing a single clinical practice improvement activity.

Option 1:  Report on One Quality Measure

To successfully report on a quality measure for 2017, a physician must report data for a continuous 90-day period for a minimum of 20 patients that must comprise at least 50% of the denominator-eligible patients.  For example, if a physician were to elect to report on the quality measure for controlling high blood pressure, he or she would report the percentage of patients, age 18-85 with a diagnosis of hypertension, whose blood pressure is controlled during the measurement period.

Specifically, the denominator would include patients, 18-85 years of age with a diagnosis of hypertension, seen by the physician (or, in the case of group reporting, by the group as a whole) within the selected 90-day performance period.  The numerator would be those patients whose systolic blood pressure < 140 mmHg and diastolic blood pressure < 90 mmHg at the most recent visit during that period.  Again, to be reportable, the denominator must include at least 20 patients representing at least one-half of the hypertensive adults seen during the performance period.

A complete list of the 271 approved MIPS quality measures, (including the definition of the denominator and numerator for each measure), is available on the Quality Payment Program website.  The QPP website also provides information about the different ways in which a physician or group can report on the measures (e.g., claims, EHR, registry) and the applicable benchmarks for each measure.  Continue Reading

The Intersection of MIPS and MSSP: How the APM Scoring Standard Works

Previously, we highlighted several advantages of participating in the Medicare Shared Savings Program (MSSP) as an accountable care organization (ACO).  Our list included the more favorable manner in which a physician’s score is calculated under the Merit-Based Incentive Payment System (MIPS) if he or she is part of a Track 1 (no downside risk) MSSP ACO.

Although such an ACO does not qualify as an Advanced Alternative Payment Model under the new Medicare Quality Payment Program, and thus does not exempt its participating physicians from MIPS, these physicians are excused from many of the MIPS reporting requirements.  Instead, CMS will apply the APM Scoring Standard, using the ACO’s scores on the MSSP performance measures to calculate their MIPS scores.

As seems to be the case with all things MIPS, the regulations regarding the APM Scoring Standard can be challenging.  We have prepared the following summary to help providers understand this new benefit of participating in a Track 1 MSSP ACO.

  1. Background
  • MIPS scores are assigned at the TIN/NPI level. If an Eligible Clinician (e., a physician or non-physician practitioner who is subject to MIPS) bills for services under multiple TINs, he or she will receive a separate MIPS score for each TIN.
  • For purposes of the MSSP, an “ACO Participant” is a Medicare-enrolled healthcare provider identified by its TIN (or, in the case of a solo practitioner, his or her NPI) that has signed a Participant Agreement with an MSSP ACO.
  • Each ACO Participant is responsible for informing the ACO of any additions or deletions to the list of physicians and non-physician practitioners for whom the ACO Participant bills Medicare Part B services under its TIN. The ACO uses this information to regularly update its ACO Provider/Supplier List with CMS.
  • If an Eligible Clinician’s name appears on the ACO’s Provider/Supplier List as of March 31, June 30, or August 31 of a performance year, CMS will calculate that Eligible Clinician’s MIPS score for that performance year for services billed under the TIN of the ACO Participant using the APM Scoring Standard.
  • All Eligible Clinicians whose names appear on the ACO’s Provider/Supplier List on one of the three aforementioned dates in 2017 will receive the same MIPS score, and will be subject to the same payment adjustment in 2019 with regard to services furnished under an ACO Participant’s TIN. Stated another way, the MIPS score is calculated at the ACO level.  An Eligible Clinician cannot elect to report individually, nor can an ACO Participant report as a group to earn a higher score.
  • If an Eligible Clinician also bills for services under another TIN that is not an ACO Participant, the MIPS score for that TIN/NPI will be calculated in the usual manner.

Continue Reading

What to Expect from Telehealth in 2017

telehealthWith the rise of consumerism in healthcare, and with providers and payers seeking greater efficiency, the age of telehealth now is dawning.  Market analysts project the telehealth market will grow from $2.78 billion in 2016 to $9.35 billion in 2021–more than a 333% increase over five years.

The term “telehealth” refers to the provision of health-related services using telecommunication technologies rather than face-to-face provider-patient interaction.  Generally speaking, there are four categories of telehealth services:

(1)          Video conferencing utilizes two-way interactive audio-video technology to connect a provider and a patient when real-time interaction is necessary.

(2)          Store-and-forward technologies allow for the secure electronic transmission of clinical data in the form of digital images or documents.

(3)          Remote patient monitoring uses digital technologies to collect health data (e.g., a patient’s blood pressure or insulin level) from an individual in one location, and electronically transmit that information securely to a healthcare provider in a different location for assessment and recommendations.

(4)          Mobile health–commonly referred to as mHealth–involves the provision of healthcare services and personal health data via mobile devices.

There are four key trends that will drive the growth of telehealth in 2017 and beyond:

(1) Shifting consumer attitudes

(2) Growing specialty service offerings

(3) New incentives for care management services

(4) Expanded telehealth reimbursement Continue Reading

Participating in the Medicare Shared Savings Program: When and Why

Once a year, the Centers for Medicare & Medicaid Services (CMS) accepts applications for participation in the Medicare Shared Savings Program (MSSP).  On March 22, CMS announced the deadlines for the 2018 application cycle.

An organization interested in participating in the MSSP as an accountable care organization (ACO) effective January 1, 2018, must file a non-binding notice of intent (NOI) by 12 noon EDT Wednesday, May 31.  Only those organizations that file an NOI will be permitted to file an MSSP application, which will be due by 12 noon EDT Monday, July 31.  Applicants then will have until 12 noon EDT Wednesday, August 30 to submit their final ACO participant lists.

Calendar DeadlineThe NOI must be submitted electronically.  Detailed instructions soon will be available on the CMS MSSP website. However, one can now review the instructions from the 2017 application cycle to become familiar with the process CMS previously used.

Keep in mind the NOI is non-binding; there is no prejudice toward an organization that submits an NOI, but later elects not to file an MSSP application.  Nor is there any prejudice toward an organization that files an MSSP application, but later elects not to sign a Participation Agreement.

Since the program’s inception in 2012, the number of MSSP ACOs has grown by approximately 100 each year.   Today, 480 organizations across the nation are part of the program, serving over 9-million Medicare beneficiaries.  Once considered a “bleeding edge” strategy, the formation and operation of ACOs has become mainstream.

We anticipate a bumper crop of MSSP ACOs this year, as we are seeing many organizations that previously passed up participation now taking a close second look at the opportunity.  Here are a dozen reasons for organizations that have been sitting on the fence to consider jumping into the MSSP arena as Track 1 ACOs: Continue Reading