This has been quite the month for health IT policy wonks. On the 14th, the HHS published both its final rule for the Quality Payment Program which implements the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and a final rule on the Office of the National Coordinator for Health IT (ONC) certification program on enhanced oversight and accountability. While the two rules will have wide-ranging effects throughout healthcare, Healthcare Dive will focus here on implications for health IT.
Reduced reporting requirements and fewer health IT measures
MACRA combines the Physician Quality Reporting System, the Physician Value-based Payment Modifier, and the Meaningful Use (MU) EHR Incentive Program into the Merit-based Incentive Program System (MIPS) to streamline reporting. Additionally, the final rule offers a “pick-your-pace” reporting approach. CMS, the HHS agency that released the MACRA final rule, hopes this approach helps providers avoid downward payment adjustments in 2017 under the new payment model.
MIPS addresses reporting measures included in MU in the Advancing Care Information (ACI) category. While MU required reporting on 18 health IT measures, the proposed MACRA implementation rule 11 health IT. Listening to stakeholders' comments, CMS reduced the measures in the final rule to five:
- Security risk analysis – Conduct or review a security risk analysis that addresses security of electronic patient health information (PHI) and implements security updates to identify risks;
- E-prescribing – Electronically query for and transmit at least at least one prescription;
- Provide patient access – Provide patients with timely access to electronically view, download and transmit health information, or offer access in an application of their choice;
- Send summary of care – Electronically create a summary of care and exchange summary of care to another provider when patients transition to another care setting; and
- Receive summary of care – Electronically receive summary care record when patient is transitioning from another care setting and incorporate into EHR.
ACI measures will account for 25% of the MIPS composite score. Providers will receive the maximum score in the ACI category if they score 100 points or more. A base score of 50 points will be awarded for successfully reporting on all five required measures, while up to 90 points will be awarded based on performance against other providers and up to 15 points will be awarded for successfully reporting on bonus measures.
Expect more oversight from ONC and CMS
Final rules for both MACRA and the Health IT Certification Program imply a larger role in health IT oversight for both ONC and CMS. Additional oversight afforded to the federal agencies seems to target the electronic exchange of PHI.
MACRA will require providers participating in MIPS to attest they have not acted to limit health information exchange and to report information blocking if they suspect it. Meanwhile, the Health IT Certification Program will allow ONC to conduct in-the-field health IT assessments, or direct reviews, and to exercise more control over ONC-authorized testing labs.
Specific details on an ONC direct review process haven’t been released, but it will allow ONC to revoke certification. The agency insists the purpose of direct review is to address problems with health IT vendors, not to decertify products. In an October 14 Health IT Buzz post, Elise Anthony, director of policy for the ONC wrote the process would focus on the real-world application of health IT products and developing corrective action plans with vendors.
Language in the MACRA implementation final rule echoed that sentiment: “The purpose of in-the-field surveillance is to provide greater assurance that health IT meets certification requirements not only in a controlled testing environment, but also when used by health care providers in actual production environments.” The QPP final rule also indicated CMS and ONC would take all steps possible to limit the burden of direct review for providers.
Health IT takeaways from new regulations
Provisions of MACRA and the Health IT Certification Program seem to reflect broader goals presented in Department of Health and Human Services Open Government Plan and ONC Interoperability Roadmap. These goals largely seem to focus on security of digital information, interoperability and patient engagement. For instance, AIC reporting measures remaining in the MACRA final rule focus strongly on security of electronic PHI, exchange of electronic PHI among providers, and expanding patient access to electronic PHI.
Similarly, provisions of the final rules expanding ONC and CMS oversight seem directed toward health IT vendors and providers that are intentionally limiting information exchange. CMS defended an expanded oversight role for ONC by pointing to an April 2015 ONC report to Congress, which determined that some health IT vendors and providers were guilty of intentionally limiting information exchange.
Reactions to the expanded oversight role for ONC has been somewhat mixed in the industry even before the final rule dropped. However, in an October 18 statement, the American Medical Association came out in favor of direct review. One respondent to the MACRA proposed rule noted that expanded oversight and the information blocking attestation requirement would help small practices and solo practitioners to compete with larger provider organizations who might engage in predatory information sharing practices.
CMS has been the subject of at least some criticism for failing to allow virtual groups in 2017. In an October 17 letter, Health IT Now urged CMS to begin implementing virtual groups as soon as possible, stating, “Providers with limited direct patient interaction, providers in rural areas, and those who are not able to report on full sets of measures might benefit from this technology-supported reporting option.”
Looking at recent regulations solely through a health IT lens does not provide a complete picture. Taking some words from Beth Israel Deaconess Medical Center CIO Dr. John Halamka, providers should consider health IT reporting measures as part of a larger program to reward providers for improving quality. “Think of the (MIPS) as the beginning of a journey. Some of it will work and some of it will not,” he wrote.