Industry Resources Links, Articles and Commentary


CMS Quality Payment Program

June 2017

Proposed Rule for Quality Payment Program Year 2

The Quality Payment Program, established under the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), began in 2017, known as the transition year. The Program’s main goals are to:

  • Improve health outcomes.
  • Spend wisely.
  • Minimize burden of participation.
  • Be fair and transparent.

The Quality Payment Program has 2 tracks: (1) The Merit-based Incentive Payment System (MIPS) and (2) Advanced Alternative Payment Models (Advanced APMs).

Because the Quality Payment Program brings significant changes to how clinicians are paid within Medicare, the Centers for Medicare & Medicaid Services (CMS) is continuing to go slow and use stakeholder feedback to find ways to streamline and reduce clinician burden, and make it easier for clinicians to participate and put their patients first. CMS has engaged more than 100 stakeholder organizations and over 47,000 people since January 1, 2017 to raise awareness, solicit feedback, and help clinicians prepare to participate. Based on stakeholder feedback, CMS established transition year policies from the clinician perspective, such as:

  • Giving clinicians the option to choose how they’ll participate. (For the 2017 transition year,MIPS eligible clinicians have the opportunity to “pick their pace” of participation in theperformance period by submitting a minimum amount of data, 90-days of data, or a full year ofdata.)
  • Having a low-volume threshold that exempts many clinicians with a low volume of MedicarePart B payments or patients.
  • Allowing flexibilities for clinicians who are considered hospital-based or have limited face-to-face encounters with patients (referred to as non-patient facing clinicians).

As the Quality Payment Program moves into the second year, CMS wants to ensure that there is meaningful measurement and the opportunity for improved patient outcomes while minimizing burden, improving coordination of care for patients, and supporting a pathway to participation in Advanced APMs. In the second year of the Quality Payment Program, similar to “pick your pace,” CMS is continuing to propose many flexibilities that make it easy for clinicians to participate and that gradually prepare clinicians for full implementation. Please note that CMS refers to the second year of program as “The Quality Payment Program Year 2” rather than “pick your pace.”

Quality Payment Program Year 2 Proposals: MIPS

For the Quality Payment Program Year 2, CMS wants to keep what’s working and use stakeholder and clinician feedback to improve the policies finalized in the transition year. Some prominent proposals include modestly increasing the performance period requirements to include a full year of data for the Quality and Cost performance categories, though CMS would not use Cost performance scores for final score determination. CMS is also proposing to increase the performance period to 90-days of data for the Improvement Activities and Advancing Care Information performance categories. In an effort to continue to reduce burden and offer flexibilities to help clinicians to successfully participate, other proposals include:

  • Offering the Virtual Groups participationoption.
  • Increasing the low-volume threshold so thatmore small practices and eligible clinicians inrural and Health Professional Shortage Areas(HPSAs) are exempt from MIPS participation.
  • Continuing to allow the use of 2014 EditionCEHRT (Certified Electronic Health RecordTechnology), while encouraging the use of2015 edition CEHRT.
  • Adding bonus points in the scoringmethodology for:
  • Caring for complex patients.
  • Using 2015 Edition CEHRT exclusively.
  • Incorporating MIPS performance improvementin scoring quality performance.
  • Incorporating the option to use facility-basedscoring for facility-based clinicians.

CMS is also proposing more flexibilities for clinicians in small practices that would:

  • Add a new hardship exception for clinicians in
  • small practices under the Advancing Care Information performance category.
  • Add bonus points to the Final Score of clinicians in small practices.
  • Continue to award small practices 3 points for measures in the Quality performance categorythat don’t meet data completeness requirements.

Based on stakeholder and clinician feedback, CMS has proposed policies with respect to the use of Appropriate Use Criteria, and certain policies enacted under the 21st Century Cures Act that affect the Quality Payment Program.

What are Virtual Groups?  The Year 2 proposed rule offers Virtual Group participation, which is another way clinicians can elect to participate in MIPS.
Virtual Groups would be composed of solo practitioners and groups of 10 or fewer eligible clinicians, eligible to participate in MIPS, who come together “virtually” with at least 1 other such solo practitioner or group to participate in MIPS for a performance period of a year.
Our goal is to make it as easy as possible for Virtual Groups to form no matter where the group members are located or what their medical specialties are. Generally, clinicians in a Virtual Group will report as a Virtual Group across all 4 performance categories and will need to meet the same measure and performance category requirements as non-virtual MIPS groups.

Appropriate Use Criteria (AUC)

The AUC were first introduced in the calendar year (CY) 2016 Physician Fee Schedule Final Rule with Comment Period. More policies were added to the AUC in the CY 2017 Physician Fee Schedule Final Rule. The evidence-based AUC will help clinicians who order and furnish advanced diagnostic imaging services make the most appropriate treatment decisions for specific clinical conditions.
For the 2018 MIPS performance period, CMS proposes adding a new improvement activity that MIPS eligible clinicians could choose if they attest they’re using AUC through a qualified clinical decision support mechanism for all advanced diagnostic imaging services ordered.

21st Century Cures Act

Enacted in 2016, the 21st Century Cures Act contains provisions affecting how CEHRT impacts the Quality Payment Program’s current transition year and future years. The 21st Century Cures Act was enacted after the publication of the Quality Payment Program Year 1 Final Rule. In the Year 2 proposed rule, CMS is proposing to implement the provisions in the 21st Century Cures Act, some of which will apply to the MIPS transition year.

  • Reweighting the Advancing Care Information performance category to 0% of the final score for ambulatory surgical center (ASC)-based MIPS eligible clinicians.
  • Using the authority for significant hardship exceptions and hospital-based MIPS eligible clinicians for the Advancing Care Information performance category the 21st Century Cures Act grants CMS.

Quality Payment Program Year 2 Proposals: APMs

CMS is keeping many of the policies finalized for the transition year, and is proposing changes and updates, including:

  • Extending the revenue-based nominal amount standard, which was previously finalized through performance year 2018, for two additional years (through performance year 2020). This standard allows an APM to meet the financial risk criterion to qualify as an Advanced APM if participants are required to bear total risk of at least 8% of their Medicare Parts A and B revenue.
  • Changing the nominal amount standard for Medical Home Models so that the minimum required amount of total risk increases more slowly.
  • Giving more detail about how the All-Payer Combination Option will be implemented. This option allows clinicians to become Qualifying APM Participants (QPs) through a combination of Medicare participation in Advanced APMs and participation in Other Payer Advanced APMs. This option will be available beginning in performance year 2019.
  • Giving more detail on how eligible clinicians participating in selected APMs will be assessed under the APM scoring standard. This special standard reduces burden for certain APMs (MIPS APMs) participants who do not qualify as QPs, and are therefore subject to MIPS.

For more information, go to:


MACRA - Here to Stay 2017

December 2016

MACRA:  Value based care is here to stay

The Final Rule, released in October 2016 signified a shift to a more modern, patient-centered Medicare program. The Centers for Medicaid and Medicare Services (CMS) have listened to administrative task concerns, ensuring providers the flexibility they need in the transition towards value-based care.

The Final Rule establishes how eligible clinicians and medical groups will participate in either MIPS (Merit-Based Incentive Payment System) or AMP (Advanced Alternative Payment Model.  Starting in 2017, Medicare physicians will have to participate in one or the other, so the time to plan is now.

What is MIPS?

You can think of MIPS as the backbone of MACRA. If providers don’t participate or gain an exemption (in such case a physician received a percentage of payments through qualifying advanced APMs, granting their exemption) they’ll receive a serious payment cut.

MIPS basically consolidates components of these programs:

  • Physician Quality Reporting System (PQRS)
  • Value-Based Payment Modifier
  • Electronic Health Record (EHR) Incentive Program
  • Clinical Practice Improvement Activities

And assesses physicians in four categories. Let’s delve deeper into those categories, as well as their score weights for 2017.

Quality Activities

For full performance, clinicians must report on either A) six quality measures to report that best reflect their unique practice, B) One specialty-specific measure set or C) One subspecialty-specific measure set.

Score weight – 60%

Clinical Practice Improvement Activities

In this category, clinicians choose the activities (there are over 90 of them to choose from under the rule) best suited for their practice. The Final Rule allows clinicians to report on four medium-weighted clinical practice improvement activities or two high-weighted, an improvement from the initially proposed six. Here’s a tip: If you can report on EHR activity under this category, do it! It will help you meet requirements. If you’re a home health organization, you’ll earn full credit in this category, and those participating in Advanced APMs will earn at least half credit.

Score Weight – 15%

Advancing Care Information Performance Category

Just so you know, this section is actually replacing the Meaningful Use Program. Also improved greatly, eligible practices are required to report on only five EHR use-related measures, a reduction from the proposed 11. According to CMS, “based on significant feedback, this area is simplified into supporting the exchange of

patient information and how technology specifically supports the quality goals selected by the practice.” These are the measures:

  • Security risk analysis
  • E-prescribing
  • Provide patient access
  • Send summary of care
  • Request/accept summary of care
    • But wait, there’s more! For the transition year, CMS will award a bonus score for the following:
  • Improvement activities that utilize certified EHR technology.
  • Reporting to public health or clinical data registries.

Score Weight – 25%

Cost/Resource Use

CMS has simplified this cost performance category, eliminating it from the calculation of providers’ overall performance for 2017. CMS adds, “that as performance feedback becomes available from claim analysis, the cost category’s contribution to the overall performance score will increase to the statutory 30% level by 2021.

Score Weight – 0%

How should practices report under MIPS?

MIPS-eligible clinicians now have the ability to submit information individually or as a group. CMS now allows for MIPS reporting as a group sharing a common Tax Identification Number, regardless of specialty or practice site. This could potentially help smaller providers receive a payment adjustment based on the group’s performance. Note: Groups must register by June 30, 2017.

For the transitional year of 2017, four paths have been established that providers may follow to report, each with the minimum performance threshold to avoid a payment penalty reduced.  *This does not include bonus information.

  • Report under MIPS for less than a year but more than 90 days, report more than one quality measure, more than one improvement activity, or more than the required measures in advancing care information performance category.
  • Report performance on minimum 90-day continuous period in 2017 or more than one measure in the quality component, more than one clinical practice improvement quality, or more than the required measures for advancing care information for minimum of 90- day continuous period.
  • Report results on all required measures for minimum 90-day continuous period in 2017.
  • Participate in an Advanced APM.

Providers who feel comfortable can begin collecting performance data on New Year’s Day. However, you can collect data anywhere between January 1, 2017 and October 2, 2017. All performance data is due March 31, 2018.

Be sure to choose your date for data collection and path in which to report as soon as possible, because there will be consequences! No participation means a 4% negative payment adjustment in 2019.


Hawthorn’s MIPS/MACRA task force has been following the Quality Payment Program to ensure that we are on top of program to pass along information to all our clients.  Hawthorn will be assisting clients through MIPS reporting as a team approach.  If you have any questions please feel free to reach out to your Client Service Manager today.



MACRA - Final Rule

October 2016

On April 27, 2016, the Centers for Medicare & Medicaid Services (CMS) released a highly anticipated proposed rule outlining physician payment reforms as required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). The proposed rule introduced the Quality Payment Program – a two track quality program that includes key guidelines for the new Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs) that will take effect as early as January 1, 2017.

MIPS is a new program that combines parts of PQRS, VM, and the EHR incentive program into one single program in which Eligible Clinicians (ECs) will be measured on four specific performance categories:

  • Quality (formerly PQRS):  Incentivized clinicians engage in improvement measures and activities that have a proven impact on patient health and safety.
  • Resource Utilization (formerly the cost component of the Value Modifier (VM)):  Goal to lower costs while significantly improving outcomes for high priority cases and chronic conditions.
  • Clinical Practice Improvement (new program):  Activities where the goal is to lower costs while significantly improving outcomes for high priority cases and chronic conditions.
  • Advancing Care Information (formally Meaningful Use of Certified EHR technologies):  Use of Certified EHR Technology with a shift to patient engagement, information exchange and care coordination to promote better outcomes.

On Friday, 10/14/2016 The Centers for Medicare and Medicaid (CMS) released the MACRA MIPS/APM final rule. As you can imagine, this is a rather lengthy document and it will take a little time to fully digest and understand the ramifications of the final rule. We are reviewing the final rule and working with your specialty originations to analysis the final rule and give you a summary as quickly as possible.
In the meantime, we wanted to give you a few links to additional resources from CMS if you would like to review them. 


Cybercrime & Ransomware Update

August 2016

Cybercrime is once more in the news as ransomware attacks in 2016 have targeted hospitals. Ransomware criminals lock computers in place and charge a fee to unlock the system.

In February of 2016 the Hollywood Presbyterian Medical Center in Los Angeles was attacked by ransomware, and the hospital later admitted they paid the $17,000 ransom in bitcoins. It has been reported that the success of this attack has led to the subsequent targeting of other hospitals.

In March of 2016 the Methodist Hospital in Henderson, Kentucky was forced to shut down its desktop computers and transfer operations to its backup system. The main system was apparently hacked through phishing emails that contained the Locky malware. Patient files were locked and the hackers demanded a ransom to unlock the system. Officials at the hospital worked through the emergency and declined to pay the ransom.

A local TV station reported that the Kansas Heart Hospital in Wichita was attacked by ransomware in May of 2016. According to this report the hospital admitted to paying an unspecified amount of ransom, but the criminals failed to decrypt the hostage files. The hospital then declined to pay a second ransom for the same attack.

Additional hospitals targeted in 2016 include the Chino Valley Medical Center in Chino, California and Desert Valley Hospital of Victorville, California. Not all attacks are reported, and it is possible that some hospitals have paid ransoms to avoid negative publicity.

The urgency of patient care makes hospitals more vulnerable to ransomware than other businesses and institutions. Health care providers need instant access to patient records, and lives are literally on the line while the hospital is held hostage. Additionally, security measures at hospitals lag behind other institutions, such as banks and other businesses. Hospitals have been very focused on HIPAA compliance and patient privacy, but many hospitals have not trained their employees on security awareness.

Most experts are recommending that hospitals improve their security protocols. One of the simplest procedures is to simply arrange for backup files and frequently scheduled backups. In the case of Methodist Hospital, cited above, it was the hospital’s backup systems that enabled rapid restoration of data and resolution of the problem.

In July 2016 the Centers for Medicare & Medicaid Services (CMS) issued guidance on ransomware. The new guidance indicates that ransomware attacks should be reported as a breach of HIPAA security, even if the hospital believes no data was lost and no files were locked.

Another source:


ICD10 Readiness of Hawthorn Physician Services

June 2015

October 1, 2015 is the federal mandated date for the United States to convert from ICD-9 to ICD-10.  ICD-10 is one of the building blocks enabling greater specificity and standardized data which can improve the coordination of a patient’s care across the variety of providers.  ICD-10 per CMS is a foundation for modernizing health care and improving quality.

Hawthorn Physician Services Corp (HPS) will be compliant and ahead of this mandated deadline to benefit our clients in preparation for this transition.  HPS is actively working on ICD-10 to ensure that all our systems that support our business processes and policies & procedures meet the implementation standards without interruption to its day-to-day operations.         

HPS wants our clients to recognize the significant efforts required to meet this mandate with communication and collaboration with all stakeholders.  We have a strategic planned approach working with our clients and business partners to ensure we are ready.

What we have done:

Formed our ICD-10 Committee and Project Team
Developed ICD-10 internal training/education for staff
Conducted an initial impact assessment on core billing system, clearinghouses, interfaces, coding edits, hardware changes, software applications, et al.   
Working with clients on modest steps to improve clinical documentation and offering resources to help them with their transition piece.

Outline of next steps:

Q1  2015– Internal  system updates to be completed
Q2 2015- Internal and external testing and updating of assessment. Test batches sent out.
Q2 and Q3 2015- Continued development of staff and clients. Final testing
Q4 2015- GO LIVE! HPS will be conducting reviews to assure charges are being received.

HPS will be communicating with our clients during this transition to keep all lines of communication open for a smooth transition to ICD-10.  We are committed to facilitating this industry mandate successfully for all our clients and staff.   


Medicare SGR Formula Triggers 21% Pay Cut Today

Medscape Medical News, Robert Lowes  April 01, 2015

Today is April Fools' Day, but for physicians, it also could be called Day One of Medicare Payment Limbo.

After all, Medicare technically is reducing its reimbursement rates for physician services rendered after March 31 by roughly 21% as of today, a cut triggered by the program's notorious sustainable growth rate (SGR) formula. However, physicians may not see any change in their Medicare pay if the Senate passes a bipartisan SGR repeal bill by April 14, a bill President Barack Obama has promised to sign.

Given this big "if," physicians are left wondering.

The House did its part in trying to avert a pay cut that threatened to drive many physicians out of Medicare and leave seniors in a lurch. On March 26, in an overwhelming bipartisan 392–37 vote, it passed an SGR repeal bill that raises reimbursement rates 0.5% in the last half of 2015 and annually through 2019, while shifting the program from fee-for-service to pay-for-performance.

On the other side of the US Capitol, however, the Senate recessed on March 27 for its spring break without taking any action on the legislation. Senate Majority Leader Mitch McConnell (R-KY) said his chamber needed more time to resolve disagreements about the bill, called the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015, and promised a vote as soon as the Senate reconvened on April 13.

The timing is fortuitous for physicians. By regulation, the Centers for Medicare and Medicaid Services (CMS) cannot pay clean electronic claims any sooner than 14 calendar days after receipt (29 days for hard copy claims). Senate passage of MACRA and the president's signature by April 14 would allow CMS to retroactively cancel the 21% rate reduction and pay all claims for services performed after March 31 at pre-April levels.

Read more:



House leaders negotiate permanent SGR repeal

Published on FierceHealthFinance ( March 19,2015  by Zack Budryk

After lawmakers derailed what looked like a permanent legislative fix to the widely unpopular sustainable growth rate (SGR) formula last year, Congress members plan to craft another long-term fix ahead of a looming deadline, MedPageToday reports--and this time they just might pull it off.

The leader of the House Ways and Means and Energy committees are involved in active discussions to try to "achieve an effective permanent resolution to the SGR problem, strengthen Medicare for our seniors, and extend the popular Children's Health Insurance Program," the committees said in a joint statement last week.

The SGR patch Congress approved in 2014 will expire March 31, after which physicians face a 21.2 percent cut to their Medicare reimbursements. The negotiation process is a familiar one, but this time, House Minority Leader Nancy Pelosi (D-Calif.) and House Speaker John Boehner (R-Ohio) are actively discussing how to fund the repeal, according to Vox. Repealing the SGR permanently this year would cost $177 billion; rather than tackle the entire cost at once, current negotiations involve roughly $70 billion in spending cuts with the balance attached to the deficit. The cuts would involve a combination of slower growth in post-acute care reimbursement; small reimbursement cuts for hospitals; cost-shifting to seniors in MediGap plans; and a premium hike for wealthy Medicare beneficiaries.

Despite the potential cuts, providers overwhelmingly support SGR repeal, as more than 750 physician groups urged Congress to pass a permanent fix in a letter to House and Senate leaders. "We made significant progress in the previous Congress to find common ground for a Medicare fix that would establish a clear pathway for developing and implementing new healthcare delivery and payment models that improve quality, coordinate care and reduce costs," Robert M. Wah, M.D., president of the American Medical Association, wrote. "It would be a shame to once again let that solution, which took months to develop, go to waste."

Find more information also at


RBMA Radiology Business Management

Information from  February 2015

Let's Talk-  Odds of Another ICD-10 Delay Grow Longer

In February, two significant events happened in Washington, D.C., that made Congressional passage of another mandatory delay in the implementation of the 10th revision in the International Classification of Diseases codes (ICD-10) much more unlikely.

Late on Friday, February 6, the non-partisan Government Accounting Office (GAO) — which Congress relies on for trustworthy information on policy issues — made public its report to the Senate Finance Committee on the status of the Centers for Medicare and Medicaid Services (CMS) efforts to prepare for the switch from ICD-9 to ICD-10 claims coding on Oct. 1, 2015. The report concluded that CMS had taken “multiple steps to help prepare covered entities for the transition,” and noted that most of the stakeholders the GAO contacted said that CMS’s educational materials and outreach had been helpful.

Senate Finance Committee Chairman Orrin Hatch (R-Utah) and Ranking Member Ron Wyden (D-Ore) noted their optimism in their press release about the report. “I see no reason for any delay past the October deadline,” stated Sen. Hatch in the release.

On Wednesday of the following week, members of the influential House Energy and Commerce Health Subcommittee got an opportunity to hear testimony from seven stakeholders who all but one said the implementation needed to happen on October 1. And judging by the opening remarks of ranking members of the committee, they were preaching to the choir.

For example, Ranking Member Gene Green (D-Tex) said in his opening remarks that “it was time to move forward without further delay,” citing existing significant investment in the switch as well as advancements in medicine better captured by ICD-10.

One cannot, of course, completely rule out the possibility that a provision to delay ICD-10 might be inserted in legislation as a concession to a particular constituency. However, at the present time, with CMS, healthcare industry stakeholders, Democrats and Republicans all endorsing the Oct. 1, 2015 deadline, it is looking like this implementation date is for real. 

Last Edited by RBMA General at 2/13/2015 3:11 PM


PQRS Physician Quality Reporting System

Information from   January 2015

Physician Quality Reporting System (Physician Quality Reporting or PQRS) formerly known as the Physician Quality Reporting Initiative (PQRI)   

About PQRS

PQRS is a reporting program that uses a combination of incentive payments and negative payment adjustments to promote reporting of quality information by eligible professionals (EPs). 

The program provides an incentive payment to practices with EPs (identified on claims by their individual National Provider Identifier [NPI] and Tax Identification Number [TIN]). EPs satisfactorily report data on quality measures for covered Physician Fee Schedule (PFS) services furnished to Medicare Part B Fee-for-Service (FFS) beneficiaries (including Railroad Retirement Board and Medicare Secondary Payer). 

Beginning in 2015, the program also applies a negative payment adjustment to EPs who do not satisfactorily report data on quality measures for covered professional services.  This website serves as the primary and authoritative source for all publicly available information and CMS-supported educational and implementation support materials for PQRS.

 PQRS Quick Links

For step-by step instructions on how to implement PQRS, view the How to Get Started page. In addition, learn more about PQRS and how to participate by visiting the following pages:

• For information on how to select measures, review the Measures Codes page
• For information on reporting mechanisms, review the following pages:

o Registry Reporting page
o Medicare EHR Incentive Program Reporting page
o Group Practice Reporting Option page
o Qualified Clinical Data Registry (QCDR) page.

• For information on incentive payments, review the Analysis and Payment page
• For information on adjustments, review the Negative Payment Adjustment Information page

Help Desk:  If you have questions or need assistance with PQRS reporting please contact the Quality Net Help Desk. The help desk is available Monday – Friday; 7:00 AM–7:00 PM CST:
Phone: 1-866-288-8912 TTY: 1-877-715-6222 Email:



Cybersecurity and Healthcare

by Stan Hosler

November 2014

We are building our lives around our wired and wireless networks. The question is, are we ready to work together to defend them? This headline appears on the About Us page of the FBI website (, which describes that agency’s efforts to investigate cyber-based terrorism, espionage and computer fraud. The text goes on to describe how the FBI combats cyber crime and cyber terrorism by gathering and sharing information with public institutions and private businesses worldwide.

Sharing information and best practices is a fundamental principle in the fight against cyber crime and terrorism. Earlier this year, another federal government agency, the National Institute of Standards and Technology (NIST), issued a press release announcing Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” This 41-page document describes the Cybersecurity Framework for protecting 16 of our nation’s critical infrastructures, including banking, transportation, telecommunications and healthcare.



NIST is not a regulatory body.  It is an agency of the Department of Commerce, and its mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.” The NIST Cybersecurity Framework is a collaborative effort between public and private organizations, and its purpose is to provide a set of industry standards and best practices for managing cybersecurity risks.

At this point the Cybersecurity Framework is a voluntary program. The 16 critical infrastructure sectors—including healthcare—are expected to assess their own risks and implement their own best practices. By meeting the guidelines of the framework, organizations may be able to avoid additional federal regulation of cybersecurity.

The framework includes three primary components: Core, Tiers and Profiles. There are five Core functions for reducing cybersecurity risk: Identify, Protect, Detect, Respond and Recover. There are four Tiers of organizational engagement and preparation: Partial, Risk Informed, Repeatable and Adaptive. The Profiles describe the organization’s current state of cybersecurity activities. Each organization is responsible for addressing the Core functions, moving up the Tiers of engagement and developing its own Profiles of goals and outcomes.

The five Core principles describe how an organization should establish practices for 1) identifying its most critical intellectual property and assets, 2) developing and implementing procedures to protect them, 3) having resources in place to recognize a cybersecurity breach, 4) having procedures in place to respond to a breach, and 5) having procedures in place to recover from a breach when one occurs.

There are direct benefits for organizations that respond to the Cybersecurity Framework and implement its components. Proponents of the framework cite benefits such as collaboration, risk reduction, cost savings and improved internal practices. Additionally, some proponents have observed a benefit related to the demonstration of due care. If, for example, an organization is victimized by hackers or terrorists, its directors may have to defend its security practices to insurance companies, consumers or litigants. Organizations that have implemented the Cybersecurity Framework will be able to demonstrate that they have taken due care to protect their information and assets. According to SEC Commissioner Luis Aguilar, the Cybersecurity Framework has been suggested as a potential baseline for “best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”

The healthcare sector has benefitted greatly from technological improvements in telemedicine, remote diagnosis, record transfers and billing efficiencies, to cite just a few examples. Now it is time to defend the healthcare infrastructure against cyber attacks from criminals and terrorists. The NIST Cybersecurity Framework offers a common vocabulary and collaborative methods for assuring a positive, proactive, collective approach to security.


Changing priorities shift hospital focus to outpatient strategies

by Jeffifer Zanino, Contributing Writer for Healthcare Finance News.

Greater efficiences and consumer demand are drivers

It wasn’t all that long ago that most surgeries, and many medical and diagnostic procedures, required patients to plan for an inpatient hospital stay. But times have changed.

According to a 2013 report from Moody’s Investors Service, ambulatory service centers' same-location revenues have been growing in the low- to mid-single digits since 2007, while hospitals have seen same-facility inpatient surgery cases decline 0.22 percent annually.

Most hospitals are adjusting. “Many revenues that used to be generated from an inpatient setting are being diverted to outpatient settings,” said Brad Spielman, vice president and senior credit officer at Moody’s Investor Services, and the lead writer of the company’s new report, Building Value: Investments Aimed at New Priorities Create Opportunities for Not-For-Profit Hospitals.

Hospitals are investing more in outpatient facilities, from full-scale service centers to urgent care centers to standalone emergency departments, he noted. So intense is the drive to capture outpatient revenue that the strategy is approaching critical-mass status. “Certain hospital-based systems are starting to have more than 50 percent of revenues generated outside of the inpatient setting,” he said. “The trend is accelerating and the scales are starting to tip a bit.”


Slideshow:  Top 10 biggest HIPAA breaches

by Erin McCann - Associate Editor, Healthcare IT News.

The numbers are scary. Healthcare providers and payers, together with their business associates, are still failing to protect patient privacy and ensure the security of their personal health information. The drumbeat of data violations continues: To date, more than 38.7 million individuals have had their protected health information compromised in HIPAA privacy and security breaches. Here are the biggest offenders.