Government updates: GAO scores HHS on cybersecurity issues; patient issues largely omitted from EHR notes in VA study

November 20, 2024 | by | No Comments

The Government Accountability Office (GAO) latest report remains critical of HHS’ leadership on cybersecurity issues. Using the immense Change Healthcare data breach as a glaring example, GAO’s latest report released 13 November outlines HHS’s continued ‘challenges’ in ensuring that, among Federal agencies, it takes the lead in strengthening cybersecurity in the healthcare sector. For instance, HHS coordinates with the Cybersecurity and Infrastructure Security Agency (CISA), which is the national coordinating agency for critical infrastructure security and resilience. Where HHS comes up short (again) against GAO prior reports and recommendations is:

  • Weakness in tracking how healthcare organizations are effectively mitigating ransomware 
  • Not yet assessing how healthcare organizations are adopting the ransomware-specific practices outlined in the NIST (National Institute of Standards and Technology) cybersecurity framework centered on identifying, detect, protect, respond, and recover.
  • Inability to document the effectiveness of support HHS provides to healthcare organizations, such as guidance documents, training, job aids, and threat briefings to help the sector manage ransomware risks.   
  • Not conducting a comprehensive sector-wide cybersecurity risk assessment addressing IoT (Internet of Things) and OT (operational technology) devices and systems common in healthcare.
  • Using their Administration for Strategic Preparedness and Response (ASPR) to fully and consistently monitor its working groups supporting the healthcare sector on progress against goals, responsibilities, and on their collaboration.
  • The Centers for Medicare and Medicaid Services (CMS) has had requirements since 2020 with parameters that conflicted with those established by other federal agencies that share data with states, such as the Social Security Administration.
  • CMS has policies to assess states’ cybersecurity but does not coordinate with other federal agencies on the assessments.

GAO’s latest report recommended that:

  • HHS, in coordination with CISA and sector entities, determines the sector’s adoption of leading cybersecurity practices that help reduce ransomware risk.
  • HHS, in coordination with CISA and sector entities, develops evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk.
  • HHS includes IoT and OT devices as part of the risk assessments of the sector’s cyber environment.
  • ASPR takes action to fully and consistently demonstrate leading collaboration practices .
  • CMS 1) solicits input from relevant federal agencies on revisions to its security policy to ensure consistency across cybersecurity requirements for state agencies. 2) revises its assessment policies to maximize coordination with other federal agencies.

Highlights and full report 

EHR notes also come up short when it comes to issues brought up by patients–and include information outside the clinician-patient transcript. This observational study from the Regenstrief Institute by two Indiana University medical researchers at the VA found multiple discrepancies in EHR notes that are supposed to recap the actual conversation between patient and clinician during a primary care appointment versus the actual transcript. It took place at four primary care clinics at a midwestern Veterans Affairs (VA) Medical Center and one associated VA community-based outpatient clinic, all using the current VistA EHR. Video and audio recordings were used to create transcripts that were compared with the EHR notes.

The discrepancies were bi-directional. According to the study, “fewer than half of issues that patients initiated in discussion were included in notes, and nearly half of notes referred to information or observations that could not be verified.” There was also a difference in recording by who brought it up. For instance, psychosocial issues were common in patient-clinician discussions. “The researchers found that when the clinician initiated discussion about these issues, 92 percent of notes in the EHR included them, but when the patient initiated discussion, only 45 percent did.”

There were also gaps in quality that were questioned in the study:

  • 8% of notes lacked an assessment and plan. Were some assessments truly incomplete, and some important plans actually skipped?
  • 18% of notes were missing follow-up plans. Were some follow-up plans never arranged?
  • 26% lacked reports of diagnostic test results. Were such results simply absent or unimportant, or were important findings unavailable, difficult to access, or overlooked?

“We recognize that certain variations in EHR documentation stem from authors’ preferences or styles about how to organize or structure notes. At the same time, notes should not lack critical elements.” Reasons for omissions could include “lack of recognition of the significance of a problem by clinicians, forgetfulness while writing notes, insufficient time to complete records accurately and thoroughly; belief that the issue had already been addressed; or prioritization of other concerns.”

Both Drs. Michael Weiner and Richard Frankel are researchers in various aspects of health information technology to improve patient outcomes and doctor-patient communication. They are affiliated with the US Department of Veterans Affairs Health Services Research and Development Center for Health Information and Communication, as well as professors of medicine at Indiana University’s medical school. Regenstrief Institute article 12 Nov, BMC Primary Care published study 18 July 2024

Telehealth extensions signed into US law with Federal FY 2023 omnibus bill

January 4, 2023 | by

Jammed into the final moments of the now-ended 117th Congress before Christmas was the passage of the FY2023 ‘omnibus’ $1.7 trillion Federal budget bill. This bill did at least several good things for those of us concerned with US telehealth, as it extended provisions for Medicare reimbursement that become guidelines for commercial health plans and help to cement telehealth as a permanent part of health care delivery. There is also a tax provision that affects high-deductible health plans. 

Their passage is important as the Covid-19 Public Health Emergency (PHE) is set to expire on 11 January and no movement has been publicly discerned for its renewal. In the fall, the Department of Health and Human Services (HHS) notified US state governors that there would be at least a 60-day notice before the PHE ends. It is unknown whether this notice has been given.

To summarize the two-year extensions that go to the end of 2024:

  • Expanding originating and geographic site to include anywhere the patient is located, including the patient’s home
  • Expanding eligible practitioners qualified to furnish telehealth services, including occupational therapists, physical therapists, speech-language pathologists, and audiologists
  • Extending the ability for federally qualified health centers (FQHCs) and rural health clinics (RHCs) to furnish telehealth services
  • Delaying the in-person requirement for mental health services furnished through telehealth, including the in-person requirements for FQHCs and RHCs
  • Extending coverage and payment for audio-only telehealth services
  • Extending the Acute Hospital Care at Home (AHCAH) initiative, pioneered by Johns Hopkins two decades ago. It also requires the HHS Secretary to publish a report comparing AHCAH programs with traditional inpatient care delivery. 
  • Extending the ability to use telehealth services to meet the face-to-face recertification requirement for hospice care
  • Extending high deductible health plan (HDHP) safe harbor exceptions for telehealth services in high-deductible health plans.

The final bill did not extend the Ryan Haight in-person waiver for the remote prescription of controlled substances. As mentioned in our earlier article, this is a wise move in this Editor’s view given the abuse of this waiver by certain telehealth organizations. ATA/ATA ACTION release.

The HHS Secretary will be required to submit a report to Congress on the utilization of the above services. The interim report is due in October 2024 and the final report in April 2026, according to the American Hospital Association. Affecting hospitals and practices in the bill:

  • It delayed the statutory Pay-As-You-Go (PAYGO) Medicare 4% sequester for two years, preventing the $38 billion in Medicare cuts that otherwise would have taken effect in January.
  • Partial relief from a 4.5% reduction in physician reimbursement rates starting on 1 January. The legislation reduced the cut to 2% for 2023 and around 3% for 2024.

HealthcareFinance

Other features of this bill having an effect on healthcare and telehealth (from Infrastructure Report Card):

  • $455 million for the expansion of broadband service, including $348 million for the ReConnect program, a series of grants administered by the US Department of Agriculture for the construction, improvement, or acquisition of facilities and equipment needed to provide broadband service in eligible rural areas. This could help rural areas and hospitals in provider-patient and provider-to-provider consults.
  • $1.65 billion for the National Institute of Standards and Technology (NIST), an increase of $424 million, or 34%, above the FY 2022 enacted level. Specific funding is allocated for the measurement labs and research at $953 million, a $103 million or 12% increase above the FY 2022 enacted level. The goal is to spur research advances in cutting-edge fields like carbon dioxide removal, artificial intelligence, quantum information science, and cybersecurity.

The bill was signed into law by the president on vacation in St. Croix, USVI. Given the bumpy start of the 118th Congress today, these are at least not up for grabs.

The PROTECT Act for HIT doesn’t: mHealth Coalition

March 6, 2014 | by

The mHealth Regulatory Coalition, which is a four-year-old alliance of legal and software companies in the health IT/software area, and whose most vocal spokespersons are well-known industry legal counsels Brad Thompson and Kim Tyrrell-Knott of Epstein Becker Green, has come out against the PROTECT Act (S 2007). PROTECT, which was proposed by Senators Fischer and King, would limit FDA regulation of certain ‘low-risk’ clinical software in the interest of fostering innovation and reducing regulatory burden. Original reports indicated that this responsibility would be transferred to the National Institute of Standards and Technology (NIST) [TTA 28 Feb]. According to Mr. Thompson, “The rush to avoid expert reviews of complex technologies with far-reaching health ramifications ignores the fact that we cannot separate the high risk from the low risk apps using broad terms in legislation.” His example: a theoretical smartphone app designed to diagnose melanomas from photos. PROTECT is being supported by IBM, athenahealth, Software & Information Industry Association, Newborn Coalition and McKesson. The bill also would exempt certain health IT software from being charged a 2.3% medical device tax, which is perhaps the ‘long game’ being played here by the aforementioned companies, as most Washington watchers give the bill as it stands little chance of clearing both houses of Congress and a congressional committee, much less being signed into law. The question remains: how best to speed less clinically significant wellness software to market without logjamming FDA.  iHealthBeat summary, Clinical Innovation + Technology, MRC press release

FCC sharply elbows up to the mHealth regulatory table

March 6, 2014 | by

That other three-letter agency, the Federal Communications Commission (FCC), which has shown a distinctly competitive face versus the FDA on Federal healthcare tech policy over the past three years and more, has formed–drum roll–a task force to examine adoption of wireless technologies by health care organizations. Connect2HealthFCC will “identify regulatory barriers and incentives to expand the use of wireless health technologies; and strengthen partnerships with stakeholders in the telehealth and mobile health industries.” If this an accurate statement of the task force’s purpose, the parade not only has gone by, but it’s also three counties away. Yet going back in our files, this Editor notes that the FCC has vigorously fenced not only with the FDA, but also with HHSNIH, NIST and Congress for its place in the Federal HIT regulatory firmament. With issues such as ‘net neutrality’, wireless bandwidth and rural broadband, the FCC has a heaping healthcare helping on its plate just in assuring national access and removing conflicts in frequency demands by devices. However, the task force is headed by Michele Ellison, lately the FCC’s top regulatory enforcer with, as The Hill notes, 6,000 actions under her belt. In Foggy Bottom, things are never what they seem. iHealthBeat

Is *less* regulation the answer for mHealth? (US)

February 28, 2014 | by | 1 Comment

What if the solution to the mHealth/digital health logjam of approvals at the US Food and Drug Administration (FDA) is to take clinical and health software completely out of their approval purview–and hand it to the National Institute of Standards and Technology (NIST), which is not a regulatory body but a standards-development organization. That is the solution proposed by the PROTECT Act of 2014 (Preventing Regulatory Overreach to Enhance Care Technology), proposed by Senators Angus King (I-Maine) and Deb Fischer (R-Nebraska). It’s put some of the better known organizations into a swivet, along with high profile attorney and mHealth legal expert Bradley Merrill Thompson with Epstein, Becker & Green. Possibly little to no regulation would be applied to EMRs, clinical support software and wearables/fitness apps–which is promptly being conflated by the usual suspects to heavy-duty equipment such as CT scanners.  FDA also finalized its guidance last September on telehealth and telemedicine applications, which this would render irrelevant. The Washington betting is that this Senate bill will go exactly nowhere, but it’s indicative of the jockeying for position this Editor is seeing within the present government and now with advocates/lobbyists [TTA 13 Feb]. MedCityNews, FierceMobileHealthcare