Skip to content

Knowledge Center

Episode 178: Pitfalls But Promise. The State of Healthcare Cybersecurity with Scott Mattila, COO & Chief Security Officer, Intraprise Health

December 16, 2021

Written by Robert Tennant, Vice President Federal Affairs

The Fall 2021 Unified Agenda is a document released by the federal government outlining, by department and agency, future regulatory action. While the government is not bound by this document, and regulations can be released that were not included in the Unified Agenda, it does give us a good sense of what we can expect to be released in 2022. Here are some of the HIT highlights from the Unified Agenda.

In the area of administrative simplification, Centers for Medicare & Medicaid Services (CMS) lists several regulations in the pipeline. These include:

Interoperability and Prior Authorization for MA Organizations, Medicaid and CHIP Managed Care and State Agencies, FFE QHP Issuers, MIPS Eligible Clinicians, Eligible Hospitals and CAHs (CMS-0057). This rule was proposed and finalized late in the previous Administration’s term. The current Administration is releasing this as a proposed rule and has apparently broadened the applicability to include Medicare Advantage (MA) organizations. The proposed rule will require MA organizations, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities, state Medicaid and CHIP fee-for-service (FFS) programs, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs) to improve the electronic exchange of health care data and streamline processes related to prior authorization, continue CMS’ drive toward interoperability, and reduce burden in the health care market. This proposed rule would also add a new measure for eligible hospitals and critical access hospitals under the Medicare Promoting Interoperability Program and for Merit-based Incentive Payment System (MIPS) eligible clinicians under the Promoting Interoperability performance category of MIPS. Read WEDI’s comments on the original proposed rule here.

Adoption of Standards for Health Care Attachment Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Standard. This rule proposes new standards to support both health care claims and prior authorization transactions, and standards for electronic signatures to be used in conjunction with health care attachments transactions. This rule also proposes to adopt a modification to the standard for the referral certification and authorization transaction.

Modifications to the National Council for Prescription Drug Programs (NCPDP) Retail Pharmacy Standards. This proposed rule seeks to modify the currently adopted NCPDP standards to the Telecommunications Standard Implementation Guide Version F6; Batch Standard Implementation Guide version 15; and Batch Standard Subrogation Implementation Guide version 10.

 

The Office of the National Coordinator for Health Information Technology (ONC) has two listings in the Unified Agenda that could impact WEDI members, including:

Health IT Certification Program Updates, Health Information Network Attestation Process for the Trusted Exchange Framework and Common Agreement, and Enhancements to Support Information Sharing. This rulemaking implements certain provisions of the 21st Century Cures Act (Cures Act), including:

    • The Electronic Health Record Reporting Program condition and maintenance of certification requirements under the ONC Health IT Certification Program
    • A process for health information networks that voluntarily adopt the Trusted Exchange Framework and Common Agreement to attest to such adoption of the framework and agreement
    • Enhancements to support information sharing under the information blocking regulations.

The rulemaking would also include proposals for new standards and certification criteria under the Certification Program related to real-time benefit tools and electronic prior authorization and potentially other revisions to the Certification Program. Read WEDI’s comments on the TFECA program here.

Request for Information Regarding Electronic Prior Authorization in the ONC Health IT Certification Program. This request for information (RFI) will seek input from the public regarding support for electronic prior authorization processes. The agency is soliciting comments on how the ONC Health IT Certification Program could incorporate standards and certification criteria related to electronic prior authorization.

 

The Office of the Inspector General (OIG) has one listing in the Unified Agenda.

Amendments to Civil Monetary Penalty Law Regarding Grants, Contracts, and Information Blocking. This would be a final regulation addressing three issues.

    1. The Cures Act provision that authorizes HHS to impose civil monetary penalties (CMPs), assessments, and exclusions upon individuals and entities that engage in fraud and other misconduct related to HHS grants, contracts, and other agreements.
    2. The Cures Act information blocking provisions that authorize OIG to investigate claims of information blocking and provide HHS the authority to impose CMPs for information blocking.
    3. The Bipartisan Budget Act of 2018 increases in penalty amounts in the Civil Monetary Penalties Law.

 

The Unified Agenda includes three rule listings for The Office for Civil Rights (OCR). These include:

Request for Information on Sharing Civil Money Penalties or Monetary Settlements with Harmed Individuals, and Recognized Security Practices Under HITECH. This RFI would solicit the public's views on establishing a methodology for the distribution of CMPs and monetary settlements to those harmed by an offense under the HIPAA Rules relating to privacy or security. The RFI also would seek comment on ways to implement in regulation the requirement for OCR to consider certain recognized security practices of covered entities and business associates when making certain HIPAA enforcement determinations.

Confidentiality of Substance Use Disorder Patient Records. This rulemaking, to be issued in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), would implement provisions of section 3221 of the 2020 Coronavirus Aid, Relief, & Economic Security Act (CARES Act). Section 3221 amended 42 U.S.C. 290dd-2 to better harmonize the 42 CFR part 2 (part 2) confidentiality requirements with certain permissions and requirements of the HIPAA Rules and the HITECH Act. This rulemaking also would implement the requirement in section 3221 of the CARES Act to modify the HIPAA Privacy Rule Notice of Privacy Practices provisions so that HIPAA covered entities and part 2 programs provide notice to individuals regarding part 2 records, including patients’ rights and uses and disclosures permitted or required without authorization.

Changes to Support, and Remove Barriers to, Coordinated Care and Individual Engagement. According to the agency, this rule will modify provisions of the HIPAA Privacy Rule to strengthen individuals’ rights to access their own protected health information, including electronic information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance flexibilities for disclosures in emergency or threatening circumstances; and reduce administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests. Read WEDI’s response to the proposed rule here.

WEDI will alert members when any of these or other HIT regulatory actions are taken by CMS, ONC, OIG, OCR or other federal agencies and we will provide comprehensive education on the HIT issues that matter to you and your organization.

Scroll To Top