CMS Leaves Healthcare Organizations Guessing on Possible Meaningful Use Changes


Recent communication from the Centers for Medicare & Medicaid Services (CMS), has created confusion for hospitals, group physician practices and individual physicians participating in the Meaningful Use program. A January 29th blog post from the agency’s chief medical officer, who also serves as the deputy administrator for innovation and quality, announced that CMS intends to modify requirements for Meaningful Use in 2015, casting doubt on whether CMS intends to enforce its current Meaningful Use reporting and attestation requirements. 

If the timeline CMS used last year is an indication of the rollout of the regulatory changes, healthcare providers will be left scrambling to adjust to last minute regulations for reporting and eligibility standards. To avoid the risk that they will not be able to attest for Meaningful Use in 2015, hospitals and physicians should begin planning now for the likelihood that CMS changes will not be formalized until late in the year.

In September 2014 CMS published a final rule that allowed hospitals and providers participating in the Meaningful Use to use the 2011 edition of certified electronic health record technology (CEHRT) for calendar and fiscal year 2014 reporting periods. The publication of the final rule gave hospitals less than a month to decide if this approach applied to their situation. Eligible providers were already in the last quarter of their calendar year reporting period.

In comments accompanying the 2014 program changes, CMS committed to enforcing several scheduled changes to the requirements of the Meaningful Use program including requiring all hospitals and eligible providers attesting to Meaningful Use adopt the 2014 edition certified EHR technology (CEHRT). The second significant change was to extend to 12 months the EHR reporting or data collection for the measures and objectives created through Meaningful Use of CEHRT.

But once again, CMS is telegraphing that it might change course. Specifically, CMS CMO Patrick Conway, M.D. said the agency is considering proposals to:

In the face of the uncertainty of the standards CMS will be enforcing, and when they may be adopted, what is best course for an organization seeking to attest to Meaningful Use in 2105 should follow? First, CMS is committed to requiring that all hospitals and eligible providers adopt and demonstrate Meaningful Use of 2014 Edition CEHRT. Second, begin collecting data of the measures and objectives at your earliest opportunity. Assuming that CMS eventually shortens the reporting period to 90 days, your organization would be in a better position to produce an optimal Meaningful Use data report. Third, it is very important to perform the security risk analysis to meet the “Protect Electronic Health Information” core objective for Stage 1 or Stage 2. The security risk analysis requires that any entity attesting to Meaningful Use must conduct or review the security risk analysis a HIPAA covered entity or business associate would perform to comply with the Security Rule. Lack of a thorough or properly documented risk assessment continues to be a common finding uncovered in CMS audits and can lead to returning incentive payments and/or paying penalties. 

Under Stage 1, an organization must also implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process. In Stage 2, in addition to meeting the same security risk analysis requirements as Stage 1, eligible providers and hospitals will also need to address the encryption and security of data stored in the certified EHR technology (CEHRT).

These steps may be completed outside of the EHR reporting period timeframe but must take place no earlier than the start of the EHR reporting year. The risk analysis or security review must take place no later than the provider attestation date or the close of the annual reporting period. Once the risk analysis is completed, providers must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.

The changes being considered to Meaningful Use beginning in 2015 through rulemaking, is separate from the forthcoming Stage 3 proposed rule that is expected to be later this year. CMS says that it intends to limit the scope of the Stage 3 proposed rule to the requirements and criteria for meaningful use in 2017 and subsequent years. 

Regardless of the direction CMS takes in revising the reporting periods and other requirements for Meaningful Use, your organization should take action now to assure that it is well positioned to collect the data required to support its attestation, as well as performing the required security risk analysis.

Click here learn more about CMS and the EHR incentive programs.