Consortium News

  • 22 Apr 2015 2:09 PM | Anonymous

    The UpTake: Care at Hand's app taps into the observations of untrained home caregivers to gather better medical information.

    retrieved from Boston Business Journal   |   Apr 22, 2015

    What if the answer to reducing health costs of the most expensive patients stems from listening to the hunches of home care workers with little — if any — medical training?

    That’s the premise tech startup Care at Hand Inc. used to predict and prevent an estimated $6.5 million in Medicare spending by reducing hospitalizations among aging patients in Massachusetts.

    Now, company officials are taking aim at Maryland, the only state to have a Medicare payment waiver to set its own rates. Officials at Care at Hand say its online survey system, which captures and analyzes observations from home care workers, will "disrupt" the way Maryland hospitals tackle readmission rates.

    "These are incredibly valuable and underutilized workers. Why don’t we use what’s in place, but use them more intelligently," co-founder and CEO Dr. Andrew Ostrovsky said. He is relocating from Boston to Maryland in May after launching the service with The Coordinating Center of Maryland.

    Care at Hand developed a survey app to give to home care workers, instructing them to answer up to 15 questions about their client each day. The idea is that home care workers have more opportunities to notice subtle health changes among their clients who are trying to "age in place" in their own homes.

    For instance, a worker might notice if it becomes harder to slip on a client’s shoe due to foot swelling. That could indicate a patient is suffering from symptoms of heart failure.

    The system will prompt medical staff at a local hospital if a client seems to be demonstrating risk factors for hospitalization based on the survey.

    "[Home care workers] don’t need to understand why those indicate problems," Ostrovsky said. "We just need to make sure that they are being brought to the attention of a patient’s medical team."

    While the company's ambitions are big, it's still a small startup. Last year, it made about $250,000 in revenue and hopes to increase that to about $500,000 this year. The company's raised approximately $2 million, with a recent funding round of about $500,000. And as CEO, Ostrovsky admits his background as a pediatrician may make him sound like an odd fit for a company focused around the aging population.

    But the company has some heavy hitters behind it. Eric Reis, author of the popular business book "The Lean Startup," is one of the company's investors. Other backers include Mark Leavitt, the former chairman of the nonprofit Certification Commission for Health Information Technology and former chief medical officer of HIMSS, and Dr. Barry Zuckerberg, the former chief of pediatrics at Boston Medical Center. New York-based tech venture firm Great Oaks Venture Capital is also an investor.

    The federal Agency for Healthcare Research and Quality looked at hospital-generated admissions data for one elder care group in Massachusetts using Care At Hand's software. It found the program reduced 30-day readmissions by 39.6 percent among at-risk patients, for a net savings of $2.57 for every dollar spent.

    Ostrovsky is betting that results like that will be crucial in Maryland, where hospitals have a five-year deadline to demonstrate improved quality through improved care coordination with outpatient providers to keep the state Medicare wavier. But first, the company has to convince the home care providers to get on board.

    "We come in and say, 'You don't have to change a thing,’ " Ostrovsky said. "But we'll digitalize the hunches of your health care workers and we'll quantify the [return on investment] for your hospitals."

  • 17 Apr 2015 3:19 PM | Anonymous

    BOSTON, April 8, 2015 /PRNewswire/ -- Beacon Health Options (Beacon), the nation's premier behavioral health management company, announced today that Bill Fandrich has joined the organization as Executive Vice President and Chief Operating Officer, effective immediately. In this role, he will direct Beacon's core operations and introduce operational best practices enterprise-wide. Additionally, he will implement an operational strategy that supports Beacon's long-term growth and ensures service excellence for clients, provider partners, and most importantly, the individuals Beacon serves.

     A 30-year veteran of the health care industry, Mr. Fandrich comes to Beacon from Blue Cross Blue Shield of Massachusetts(BCBSMA), where he served as Senior Vice President, Chief Information Officer and Head of Operations since 2008. He managed more than 2,000 employees and contractors responsible for operational and technology functions. Mr. Fandrich also led the Corporate Project Management Office at BCBSMA. While there, he served on several community and company boards, and in 2010, was named "CIO of the Year" by Mass Technology Leadership Council for the state of Massachusetts. In 2015, he was the recipient of the Massachusetts Health Data Consortium's Delores Mitchell Award for Investing in Information.

    Previously, Mr. Fandrich served as the first Chief Informatics Officer for Cigna where he was responsible for launching the company's market-facing informatics strategy. During his five years at Cigna, he also held senior executive positions in product development and information technology operations. Earlier in his career, Mr. Fandrich served as Chief Application Officer and Senior Vice President at Liberty Mutual. He also has held positions at Deloitte and EDS, where he focused on health insurance and medical provider technology solutions.  Mr. Fandrich also co-founded a company, Cogentric, Inc., a security and risk management firm, which was sold in 2003.

    "Bill will play a key role in positioning Beacon Health Options to deliver superior service to our clients, providers and members. He brings a dynamic combination of leadership skills, extensive operations expertise and a successful track record that will benefit our company in the coming years," said Beacon Chief Executive Officer Tim Murphy. "Moving forward, we will look to Bill to set a clear operational vision for us as we transform Beacon to meet our important mission of helping those we serve live their lives to the fullest potential."

    About Beacon Health Options

    Beacon Health Options is a health improvement company that serves 45 million individual across all 50 states and the United Kingdom. On behalf of employers, health plans and government agencies, we manage innovative programs and solutions that directly address the challenges our behavioral health care system faces today. A national leader in the fields of mental and emotional well-being, addiction, recovery and resilience, employee assistance, and wellness, Beacon Health Options helps people make the difficult life changes needed to be healthier and more productive. Partnering with a network of providers nationwide, we help individuals live their lives to the fullest potential. Visit for more information.

  • 17 Apr 2015 9:55 AM | Anonymous

    Retrieved from Boston Business Journal  |  Apr 15, 2015  |  Jessica Bartlett

    Hospitals are crunching unprecedented amounts of data to understand better ways to save money, and Arcadia Healthcare Solutions is ready to take advantage of the market opportunity.

    The Burlington-based company, which collects care-related data to help hospitals better manage some of their more expensive patients, has raised $13 million to help hire 50-to-100 employees as it bolsters its technology and expands its marketing team.

    The company has approximately 200 employees but does not publicly disclose revenue.

    "We’re a company on the rise in terms of our recognition in the marketplace," said Arcadia CEO Sean Carroll. "We want to continue to make sure the market is aware of us, what we’re doing, how we’re trying to help our clients and how we have helped."

    The funding came from Peloton Equity LLC and Zaffre Investments LLC as well as a roster of the company's previous investors. The company works by aggregating insurance information with patient data collected from a hospital’s electronic medical record.

    Founded in 2002, Arcadia has approximately 65 clients, including Beth Israel Deaconess Medical Center. Arcadia estimates that it will add another 30-to-40 clients in the next year. That should help propel a 30 percent revenue increase, Carroll said.

    Though the hospital analytics space is becoming increasingly crowded, Carroll said Arcadia’s focus on providing analysis and solutions – rather than just data aggregation and reports – is the company’s competing edge.

    "Our interests are engaging tech to help them implement transformative plans and strategies in their ambulatory network that change the way they deliver care," Carroll said.

  • 08 Apr 2015 9:47 AM | Anonymous

    Retrieved from   |   By: Aditi Pai   |   Apr 7, 2015

    Brigham and Women’s Hospital in Boston will pilot iGetBetter’s apps to reduce hospital readmissions through remote patient monitoring and post-discharge patient engagement. The pilot will target patients that have heart disease, specifically those with hypertrophic cardiomyopathy (HCM).

    "There is a great need for innovative approaches to relieve symptoms for patients with hypertrophic cardiomyopathy," Dr. Neal Lakdawala, a BWH physician and the clinical lead on the pilot, said in a statement. "Disease manifestations can vary significantly on a day to day, and even minute to minute basis, but contemporary practice has not adapted to this aspect of disease. We are excited about the potential for this pilot, in which we will accelerate the pace of relief for patients using technology that allows them to report symptoms, vital signs, and step counts daily. This information will allow us to titrate their medications weekly and individualize treatment."

    With iGetBetter’s system, patients can review their personalized care plans on a patient-facing HTML5 web app, designed to work on various devices, including Android and iOS ones. The app allows patients to view announcements and reminders, log their progress, manage their contact information, and communicate with care team members.

    In this specific trial, patients will also be able to sync health information that they track with Withings’ Bluetooth-enabled blood pressure cuffs and activity monitors. Withings donated the devices to Brigham and Women’s for the pilot. 

    iGetBetter’s program syncs with many other connected health apps and devices including Garmin, RunKeeper, Fitbit, Fitbug, Omron, MapMyFitness, and Moves. The company integrates the data from these devices through Validic.

    "For the first time, we will be using daily patient biometric readings coupled with daily subjective inputs from patients about possible cardiac symptoms to titrate medication levels to maximum desired levels remotely without the need for multiple outpatient office visits," Dr. David Lebudzinski, Chief Medical Officer at iGetBetter said in a statement. "This potentially represents a major improvement for these hypertrophic cardiomyopathy patients who will be brought up to desired medication doses faster than ever, achieving a level of therapeutic safety much faster than in the past. This should improve their quality of life and reduce their risk for adverse cardiac events very quickly."

    Clinicians can use the system’s provider-facing app to monitor patients’ data, adjust their medications, and contact patients when necessary to avoid hospital admissions.

    In February, iGetBetter raised $1.1 million, which brought the company’s total funding to at least $2.6 million. At the time, the company said pilots with six health systems had already been completed, two of which signed on as customers afterward. Several more pilots were set to begin, they said at the time, for diseases including congestive heart failure, total knee and hip replacements, hypertension, diabetes, and depression.

  • 25 Mar 2015 5:03 PM | Anonymous

    The CMS and ONC NPRMs

    Retrieved from Life as a Healthcare CIO: MARCH 24, 2015

    This analysis was written by Micky Tripathi and John Halamka.

    On Friday March 20, CMS released the Electronic Health Record Incentive Program-Stage 3 and ONC released the 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications.

    Perhaps the most important statement in the entire 700+ pages is the following from the CMS rule: "Stage 3 of meaningful use is expected to be the final stage and would incorporate portions of the prior stages into its requirements."

    Providers and vendors alike were all hoping for something lean and clean. The CMS Stage 3 rule weighs in at 301 pages, but the ONC Certification rule takes the cake at 431 pages. The JASON Task Force, whose recommendations were unanimously approved by the HIT Standards and Policy Committees, recommended that ONC and CMS make an explicit trade-off: Decrease the breadth and complexity of the MU program, and in return, increase the expectations in a few key areas, such as interoperability. The CMS MU Stage 3 rule, for the most part, has adopted this philosophy. Unfortunately, the same can't be said for the ONC Certification rule.

    We provide a brief synopsis of the MU and Certification Rules below, followed by our analysis of these proposals.

    CMS Stage 3 MU Rule Synposis

    The CMS Meaningful Use Rule is focused and narrowed to 8 objectives.

    There is some fine-print though. Contained within many of the objectives are multiple measures. Depending on which options one chooses, and whether you are a provider or a hospital, the total number of MU measures could range from 15 to 20, and that's NOT INCLUDING the Clinical Quality Measures, which have always been like a MU menu all of their own, and which are now going to be determined through a different process and won't be defined until later in 2015.

    Here is a synopsis of the MU Stage 3 requirements:

    Provider-facing EHR functions:

    *ePrescribing: The thresholds have increased to 80% for EPs and 25% for EHs, but overall this is just asking for more of the same. Of note is that controlled substance prescriptions can now be optionally included in states where it is allowed electronically.

    *Clinical decision support: There are 2 measures: 1) implement 5 CDS interventions tied to 4 quality measures; and 2) turn on drug-drug and drug-allergy interaction alerts for the entire EHR reporting period. This is aligned with the past trajectory from earlier stages.

    *CPOE: There are 3 measures: use CPOE on at least 80% of medication orders, 60% of lab orders, and 60% of diagnostic imaging orders. CMS has given a little flexibility here by now counting entry by "scribes" (personnel with at least a medical assistant credential), excluding standing orders, and including a broader array of imaging such as ultrasound, MRIs, and computed tomography.

    Patient-facing EHR functions:

    *Patient access to information: There are 2 measures: 1) 80% of patients must be able to access their records either through the View/Download/Transmit function or through an ONC-certified API; and 2) give 35% of patients access to patient-specific educational resources. Note, this objective just requires that access is provided to patients. No patient action is required in order to meet these objectives

    *Active patient engagement: There are 3 measures: 1) 25% of patients must access their records either through View/Download/Transmit or through an ONC-certified API; 2) 35% of patients must receive a clinically-relevant secure message; and 3) provider must incorporate information from patients or "non-clinical" settings for 15% of patients. These measures do require patient action, though there is some flexibility because provider-initiated messages now count toward the secure messaging measure, for example. The most challenging measure will be the last one, which requires patient-generated data or data from non-clinical settings such as home health, physical therapy, etc.


    *Health information exchange: There are 3 measures: 1) send electronic summary for 50% of TOCs and referrals; 2) get electronic summary for 40% of TOCs and referrals; and 3) perform med/allergy/problem reconciliation for 80% of TOCs and referrals.

    *Public health and clinical data registry reporting: There are 6 measures. "Active engagement" is required for: 1) immunizations; 2) syndromic surveillance; 3) reportable conditions case reporting; 4) public health registries; 5) non-public health registries; 6) electronic lab reporting. EPs need to choose 3 out of 1-5, and EHs need to choose 4 out of 1-6. Having witnessed that that there is wide variability in public health capacity across the country, CMS has provided some flexibility here by defining "active engagement" broadly to include either registering, testing, or transacting. In short, you'll get credit even if you're not actively transacting as long as you are on the path and making a good faith effort.

    The CMS rule is laid out logically and pretty easy to follow. (That is, for a 300+ page federal regulation.)

    ONC 2015 Edition Certification Rule Synopsis

    We wish we could say the same about the ONC Certification Rule. Whereas the CMS rule seems to be using MU Stage 3 to stabilize expectations, the ONC rule does the opposite and crams too much into the 2015 Edition Certification. To make matters worse, the rule isn’t laid out clearly or logically, so it's hard to ascertain how all of the pieces fit together.

    There are 68 individual certification requirements described in the ONC rule. It would be impossible to lay out all of the details here. The list of all of the requirements is here.

    There are 36 of the 68 requirements that are required for Meaningful Use. ONC introduces the concept of the "Base EHR", which has the following 16 requirements. New requirements are marked with a *.

    • Demographics
    • Problem List
    • Medication List
    • Medication Allergy List
    • Smoking Status
    • Implantable Device List*
    • Clinical Decision Support
    • CPOE – medications
    • CPOE – laboratory
    • CPOE – diagnostic imaging
    • Transitions of Care
    • Application Access to Common Clinical Data Set*
    • Direct Project, Edge Protocol, and XDR/XDM
    • Direct Project
    • Clinical Quality Measures – record and export
    • Data Portability

    But for meaningful use, CMS says that you need the Base EHR, plus 20 more requirements:

    • Automated Measure Calculation
    • Automated Numerator Recording
    • Patient Health Information Capture*
    • Family Health History – pedigree
    • Family Health History
    • Transmission to Public Health Agencies – health surveys*
    • Transmission to Public Health Agencies – antimicrobial use and resistance reporting*
    • Transmission to Public Health Agencies – reportable condition reporting*
    • Drug-drug, Drug-allergy Interaction Checks for CPOE
    • Transmission to Cancer Registries
    • Transmission to Public Health Agencies – reportable laboratory tests and values/results
    • Transmission to Public Health Agencies – syndromic surveillance
    • Transmission to Immunization Registries
    • Secure Messaging
    • View, Download, and Transmit to 3rd Party
    • Drug-formulary and Preferred Drug List Checks
    • Electronic Prescribing
    • Clinical Information Reconciliation and Incorporation
    • Patient-specific Education Resources
    • Clinical Quality Measures -- Report

    So what are the additional 32 requirements if they're not required for Meaningful Use? It's the list below, arrayed in order of decreasing complexity as estimated by ONC.

    • Electronic Submission of Medical Documentation*
    • Accessibility Technology Compatibility*
    • Consolidated CDA Creation Performance*
    • Vital Signs, BMI, and Growth Charts
    • Data Segmentation for Privacy (Federal substance abuse privacy law) – send*
    • Data Segmentation for Privacy (Federal substance abuse privacy law) – receive*
    • Quality Management System
    • Decision Support – knowledge artifact (send CDS interventions)*
    • Transmission of Laboratory Test Reports
    • Clinical Quality Measures – filter*
    • Incorporate Laboratory Tests and Values/Results
    • Safety-Enhanced Design
    • Care Plan (consolidated from multiple care plans)*
    • Social, Psychological, and Behavioral Data*
    • Decision Support – service (receive CDS interventions)*
    • Healthcare Provider Directory – query response*
    • Healthcare Provider Directory – query request*
    • Clinical Quality Measures – import and calculate
    • Accessibility-Centered Design*
    • Integrity
    • End-User Device Encryption
    • Emergency Access
    • Automatic Access Time-out
    • Amendments
    • Audit Report(s)
    • Auditable Events and Tamper-resistance
    • Authentication, Access Control, Authorization
    • SOAP Transport and Security Specification and XDR/XDR for Direct Messaging
    • Accounting of Disclosures
    • Image Results
    • Patient List Creation
    • Electronic Medication Administration Record

    Buried within these 700+ pages of proposed federal regulations are many objectives, measures, and requirements, as well as a lot of hopes, dreams, and aspirations -- what we would characterize as The Good, The Bad, and The Ugly.

    The Good

    The CMS rule level sets everyone at Stage 3 by 2018. That makes life easier for providers, vendors, and the government.

    Some of the objectives and thresholds need adjustment to align with workflow, change management and market realities, but overall the CMS MU Stage 3 proposal is a good first draft. CMS deserves a lot of credit for streamlining and consolidating a lot of the stray threads from MU Stages 1 and 2, and making the Stage 3 rule coherent and relatively easy to understand.

    Both the MU and Certification rules emphasize application program interfaces (APIs), and do so in a judicious and thoughtful way. They give credit to those early adopters who may implement APIs ahead of the market, signal toward RESTful FHIR APIs and OAuth as future certification candidates, but don't lock in those standards before they are mature and market-tested. This glide path is directly in line with recommendations from the JASON Task Force, HITSC and HITPC, as well as the Argonaut Project, and thus has a lot of community momentum behind it. They seem to have learned the lessons of the Direct standard, which should be commended.

    The MU rule makes a practical leap into query-based exchange by requiring receipt of records from other entities. Few will be able to generate queries electronically at the outset, but it gives credit to those who can, and motivates others to enable workflows and technologies to do so as quickly as possible.

    The “Base EHR Definition" was introduced in the ONC 2014 Certification Edition and included all of the security certification criteria and standards. However, no individual module submitted for certification was required to meet the "Base EHR Definition," nor was any module required to meet any security criteria at all. Instead, it was up to each purchaser to determine whether the set of modules purchased collectively met the "Base EHR Definition" and therefore would be capable of meeting the requirements of HIPAA. The ONC 2015 Certification Edition removes security from the "Base EHR Definition" and instead assigns each security requirement to the types of modules where that functionality is most applicable.

    Finally, patients are given a high priority, as they should be. The big problems of health care can't be solved without making patients better custodians of their own care, and the MU and Certification rules give a large boost to those efforts.

    The Bad

    In the Meaningful Use rule, CMS undermines a bit of the simplicity by allowing a reporting period exception for year 1 Medicaid participants. They should have Medicaid year 1 follow the same requirements as everyone else which will level set everyone.

    While it is good to align the CQMs with other CMS quality programs, the detail on CQMs now won't be provided until later this year. We’re asked to weigh in now on quality measurement policy issues (such as whether all products should be required to support all measures) absent important information such as how many measures CMS is considering, whether they are all well suited to EHRs, and if they would be generally applicable to all EHR products.

    There are 3 main issues with the ONC rules. First is the concept of "decoupling". CMS and ONC have “decoupled” their rules, so that CMS can specify a smaller number of objectives/certification criteria, while ONC can provide a list of everything health IT could/should/might be, including a broad scope beyond EHRs. CMS now owns the "CEHRT definition.” CMS sets the program policy requirements for MU and defines what minimally needs to be certified. This is a change in the directionality of the ONC/CMS regulatory relationship. In the past two regulatory cycles ONC’s rules have included MU program policy and pointed to CMS for details. Now, ONC’s rule is agnostic to any program and the CMS MU program points to ONC for certification specifications. Thus, the ONC rule includes a variety of certification specifications for which there are no corresponding MU requirements from CMS. This has the potential to create market confusion, an overwhelming scope for vendors/developers, and a laundry list of requirements that serve narrow interests.

    Second, if we care about patient health, it's not intuitively obvious why some requirements are where they are. For example, why is "Vital Signs, BMI, and Growth Charts" excluded on the MU list, but "Transmission to Public Health Reporting -- health surveys" is included on the MU list?

    Third, it feels as if every wish of every stakeholder was included in the rule without setting priorities, rather than being specifically focused on functions the directly serve patient care and patient engagement. There is not a really bad idea among the 68 proposed requirements, but do all of the problems of public health and Medicare FFS post-payment medical documentation review and safety-enhanced design and a host of other needs have to be solved at the same time as MU-related certification? ONC estimates that all the development they propose would take 23,000 hrs to 47,000 hrs to develop. They have improved at estimating but that is still low (for example, for safety-enhanced design, they estimate 300-600 hrs, but it's taken most vendors >1000hrs in the past and they just doubled the number of things you're expected to summative usability test). And by ONC's own estimates, vendors will have to spend 44% more development hours to meet all of the non-MU related certification requirements. It would be much more simple if ONC created a 2015 Edition Rule for only MU-required functions, and then separate rules for the many other non-MU certifications that it would like to propose.

    Fourth, while the API part of the Certification Rule seems to reflect the lessons learned from our experience with Direct, other areas seem to be making some of the same mistakes. By casting the net so widely on the types of functions it wants to certify, the Rule inevitably proposes some standards that are not sufficiently market-tested to be de facto requirements for the entire industry. The Health IT Standards Committee developed a very thoughtful framework for identifying which standards will have high chances of market acceptance. Standards for such functions as provider directories, multi-entity care plans, exchange of CDS interventions, submission of FFS post-payment documentation, data segmentation to meet cumbersome federal substance abuse law requirements, etc don’t yet meet that test. Standards for public health transactions (such as requiring bidirectional interfaces for immunization registries and reportable conditions reporting) are not only novel, they are not even deployed by most public health agencies. We should have a high bar for anointing a standard to be worthy of federal-level certification, even if such requirements are “voluntary”. The Rule does much to promote the move to RESTful APIs, and in most cases, we may very well find that following the path of facebook, and google, and twitter will be much faster and valuable than burdening the industry with even more older generation, health-care specific approaches.

    The Ugly

    If a clinician has 12 minutes to see a patient, be empathetic, document the entire visit with sufficient granularity to justify an ICD-10 code, achieve 140 quality measures, never commit malpractice, and broadly communicate among the care team, it’s not clear how the provider has time to perform a "clinical information reconciliation" that includes not only medications and allergies, but also problem lists 80% of the time.

    Maybe we need to reduce patient volumes to 10 per day? Maybe we need more scribes or team-based care? And who is going to pay for all that increased effort in an era with declining reimbursements/payment reform?

    As one of us wrote about in the Information Week article, Boiling the Frog, each incremental proposal is tolerable, but the collective burden is making practice impossible.

    The sheer number of requirements may create a very high, expensive and complex set of barriers to product entry. It may stifle innovation in our country and reduce the global competitiveness for the entire US Health IT industry by over-regulating features and functions with complicated requirements that only apply to CMS and US special interests. The certification criteria are often not aligned with what EHR users ask for. In some cases, the criteria are completely designed to accrue benefits to people who aren't feeling the opportunity cost. So if certification is loaded by non-EHR users, EHR users are going to find that even if the MU objectives are fewer in number and more focused, that their EHRs are focused on a lot of things they haven't asked for.

    There needs to be a very public discussion with providers as to who should prioritize EHR development -- ONC and the stakeholders they've included, or EHR users. The work of the country over the next few months needs to be achieving a consensus about what should be in the Certification rule and what should be removed. If industry, academia, clinicians, payers, and patients can align on a minimal set of requirements, we're confident ONC will listen.

  • 23 Mar 2015 9:34 AM | Anonymous
    Retrieved from | By Darius Tahir | March 20, 2015

    Draft regulations the CMS issued Friday would make significant changes to the federal incentive program that requires doctors and hospitals to adopt and meaningfully use electronic health records.

    With some exceptions, hospitals, physicians and other eligible professionals would be expected to conform to the rules (PDF) by 2018.

    Physicians and hospitals have lobbied aggressively for the CMS to relax the program's parameters. The agency said in January it would issue separate regulations narrowing the reporting period to 90 days for attesting to meeting the requirements for 2015.

    The proposed rule would require nearly all providers to report on a full calendar-year cycle beginning in 2017 and would require electronic reporting of clinical quality measures beginning in 2018.
    “The release of today's rule demonstrates that the agency continues to create policies for the future without fixing the problems the program faces today,” the American Hospital Association said in a statement Friday. “It is difficult to understand the rush to raise the bar yet again, when only 35% of hospitals and a small fraction of physicians have met the Stage 2 requirements.”
    Physicians and other eligible professionals who fail to meet the requirements are expected to pay $500 million in Medicare penalties between 2018 and 2020, according to the proposed rule. The agency said it expects all hospitals to achieve meaningful use by 2018.

    Upgrading EHRs to meet the requirements, the agency estimates, will cost physicians $54,000, plus $10,000 in annual maintenance costs. That's at the high end of what the Congressional Budget Office calculated in 2008. The CMS said upgrades would cost hospitals $5 million, plus $1 million for annual maintenance.

    The rule would give providers three options for ensuring patient engagement with their care, of which providers must fulfill two: access to their own records; secure messaging between patients and providers; and collection of patient-generated health data.

    The first two elements had attracted consistent criticism from providers in previous stages of the program, but the exact impact is unclear. In the Stage 2 rules, 5% of patients would have to view, download or transmit data from their records, which providers said made them responsible for the engagement regardless of whether patients were interested.

    The new rule would raise that engagement threshold to 25% of patients downloading or transmitting their health data. But providers can now satisfy the requirement with an application programming interface, or API, that allows third-party developers to access the data on their patients' behalf.

    The rule would also impose a similar increase in the rate of secure messaging: from 5% in Stage 2, to 25% in Stage 3.

    Meanwhile, the provision would compel providers to collect patient-generated health data in their EHRs from devices such as Fitbits or mobile apps developed with Apple's HealthKit API. Providers would have to capture data from 15% of their patients to comply.

    The digital health industry pushed aggressively for the CMS to push providers to collect the data their products generate. “I'm beyond pleased and finally vindicated,” said Robert Jarrin, Qualcomm's senior director of government affairs.

    The proposal also raises the thresholds for “computerized physician order entry,” which allows doctors to send requests for drugs, lab tests and imaging electronically. Providers would be expected to order 80% of medications electronically, up from 60% under Stage 2 of the program. The requirement for electronic lab and imaging orders would rise to 60% from 30%.

    For imaging, the proposed rule expands the requirement from radiology to a broader array of tests, including ultrasound, MRI and CT scans.

    Separate regulations proposed by HHS' Office of the National Coordinator for Health Information Technology overhaul the certification program (PDF) for healthcare IT, which is intended to give healthcare providers certainty that the software they buy can perform the functions required under the meaningful-use program.

    Comments on the proposals are due May 29.

  • 18 Mar 2015 10:38 AM | Anonymous
    Retrieved from | By Adam Rubenfire | March 17, 2015

    Premera Blue Cross, a health plan in the Pacific Northwest, was hit with the second-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers.

    The Mountlake Terrace, Wash.-based company discovered the attack on Jan. 29, 2015. An investigation revealed that the initial attack occurred May 5, 2014. The breach affected Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and Premera affiliate brands Vivacity and Connexion Insurance Solutions.

    Premera said the company has not been able to determine if any data was actually removed from the company's systems and that there's no evidence that any of the records in the breached system have used inappropriately.

    The revelation comes just six weeks after Anthem, the nation's largest investor-owned Blues licensee, disclosed that hackers had stolen the records of nearly 80 million from its IT system.

    Information exposed in the hack dates back to 2002. The company said the records could include members' names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information.

    As with the Anthem hack, the Premera breach affects some customers of other Blues plans that participate in the national, reciprocal claims payment network called BlueCard, a Premera spokeswoman confirmed. The network is often used for members who travel out of their insurer's service area for care.

    Premera Blue Cross is beginning to mail letters to affected customers offering two years of free credit monitoring and identity theft protection. The company also has established a call center and and a website,, dedicated to information about the breach.
    "We at Premera take this issue seriously and sincerely regret the concern it may cause," Premera CEO Jeff Roe said in a statement. "As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people's information."
    If the ongoing investigation confirms that no data was removed from Premera's system, customers could less of a risk than Anthem's customers. But the company may be offering protection to customers because it can't be sure that's the case, said Mac McMillan, a healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy.
    "It could very well be they can't prove the negative," McMillan said. "They can't disprove that these people had access to that information."
    It's possible but not likely that the individuals could have downloaded the data from Premera's servers but left no evidence that they removed the data, MacMillan said. Stealing data without leaving a trace is very difficult, he said, because usually only high-level administrators have the ability to eliminate audit trails.

    Hackers also may have infiltrated the system without the intention of stealing data, McMillan said. Cyberattackers sometimes look for insecure systems and manipulate them to create bots that can be used in other cyberattacks, he said.

    Premera has worked closely with the FBI and Mandiant, a major cybersecurity firm, to investigate and remove the "infection created by the attack," the company said. An FBI spokeswoman said in a statement that Premera "quickly" notified the law enforcement agency about the attack but declined to give a specific time frame.

    In the Anthem hack, the initial investigation indicated that members' bank or clinical records were not exposed. The inclusion of that information in the Premera breach makes it particularly disconcerting, said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the field of medical identity theft.
    "The recent spate of advanced medical breaches show us that the word is out about the value of medical data, and the sophisticated level of criminals making these attacks," Dixon said in a statement. "Patients need to be prepared and educated about both medical ID theft and phishing, and providers need to be honest about the risk of medical forms of ID theft."
    Cyberattacks are one of the least common ways that protected health information is exposed, but the episodes typically involve dramatically bigger numbers of records.

    Nearly three-quarters of the records exposed in healthcare breaches reported to HHS have been linked to cyberattacks, even though those attacks account for less than 10% of the breaches, according to a Modern Healthcare analysis of HHS data.

    "(Hackers) clearly have an eye on these types of organizations who hold financial information, but also very sensitive healthcare information," said Paul Bantick, an underwriter for cybersecurity insurer Beazley, which also provides services for organizations responding to attacks.

    "The best way for these organizations to mitigate the damage," Bantick said, "is to respond and contain it as best as you can."

  • 17 Mar 2015 4:02 PM | Anonymous
    Retrieved from   |   By Ivan Ristic   |   March 17, 2015

    Vulnerabilities such as Heartbleed, POODLE, and FREAK are starting to alert the world of the importance of good security hygiene of our communication infrastructure. There's never been so much scrutiny of the security of the Secure Socket Layer (SSL) and Transport Security Layer (TLS) protocols like today. We can trace this interest back as far as 2008, with no signs of slowing down. But, although most attention is on the protocol vulnerabilities, most organizations don't realize that it's their own actions that are proving to be bigger problems in practice.

    In most companies—it seems—certificates are accounted for using spreadsheets. Security of secure servers is flagged up only when there is a major public discovery. Otherwise, little is done to get the most of the security mechanisms that are available today. We can't really say that system administrators are to blame: TLS is notoriously flexible and configuring it correctly requires great time and effort. Furthermore, application-layer decisions can often negatively impact the security of otherwise properly configured servers.

    In 2009, we began our work on SSL Labs (, our research centre for SSL, TLS, and Internet PKI, with the aim to understand how these technologies are used around the world, and to provide tools and documentation to help everyone make the most of them. Although the list of best practices is long (we maintain a concise document called SSL/TLS Deployment Best Practices; it currently has 14 pages), over time we realized that there is small number of super-important things to get right.

    Encrypt your entire web site

    If you're currently deploying encryption only on a part of your web site, you're leaving a huge gap for your adversaries to exploit. Using so-called SSL stripping attacks, network attackers can gain control of any unencrypted user session and forever prevent it from moving to security. With full encryption, there's no opportunity for network attackers to strike.

    Almost equally importantly, you should deploy a new standard called HTTP Strict Transport Security, which ensures that your users' browsers never attempt insecure communication, even when tricked by savvy attackers.

    Deploy modern protocols and cipher suites

    If you haven't looked at your servers in a couple of years, chances are that, even they are not obviously insecure, they are running obsolete security protocols. If so, you should plan to upgrade as soon as possible to use new features such as TLS 1.2, forward security and authenticated encryption suites, and to phase out old features such as SSL 2, SSL 3, RSA key exchange, CBC suites, and RC4. Additionally, these days SSL configuration is used as a proxy to determine someone's security posture. This is yet another reason to upgrade now and show that your security is strong!

    Phase out your existing SHA1 certificates

    This is not really a part of our best practices, but something you need to do today. The PKI ecosystem is currently transitioning away from weak SHA1 certificates. Although the hard transition deadline is at the end of 2016, some long-lived SHA1 certificates today might produce warnings in browsers. If you have SHA1 certificates that expire in 2016 or later, you should act now to replace them with SHA256 certificates. Alternatively, if you're worried about cutting off some parts of your user base, continue to use SHA1 but with certificates that expire in 2015.

    Monitor your site and mitigate known problems

    Nothing stays perfectly secure. Even if you do your best today, a new disclosure tomorrow may break your security. The only way to deal with this problem is to continuously monitor your security posture and react when changes are detected. For SSL, we provide free assessment tools on our web site. Our server assessment tool will not only tell you about potential security problems, but also about issues that might impact your site availability. And, if you have a large number of servers to scan, we also have a free API to help you automate that task.

  • 11 Mar 2015 4:12 PM | Anonymous
    Bipartisan bill would increase access to Medicare data

    Retrieved from   |   Beth Walsh  |  Mar 11 

    Bipartisan legislation introduced by Senators Tammy Baldwin (D-Wisc.) and John Thune (R-S.D.) would increase the transparency of healthcare costs in Medicare.
    "Medicare is the single largest payer of healthcare services in the country, spending over $600 billion each year. But we know very little about what we are paying for,” said Baldwin a release. “The Quality Data, Quality Healthcare Act provides access to that data and puts it into the hands of those who can best use it, helping doctors make more informed decisions and improving how we deliver healthcare.”
    “Almost every business relies on metrics to evaluate what it is doing well and what it needs to improve, CMS—America’s largest health care payer should be no different,” said Thune. “Providing access to data that can be used to evaluate healthcare services is a critical component of increasing transparency and reducing healthcare costs. I hope our colleagues will join us in supporting this common-sense measure to improve the quality of healthcare while reducing costs.”
    As the largest payer of healthcare in the United States, the Centers for Medicare & Medicaid Services (CMS) sits on a wealth of information that can help inform healthcare providers in making better decisions that will improve patient care and reduce costs. Economists have argued that expanding access to Medicare cost and utilization data will increase efficiency in healthcare delivery, reduce costs and improve the quality of care.

    The senators said that recent efforts by the administration to increase access to Medicare data are promising, but lack the necessary detail and context to be most useful. They said that the Qualified Entity (QE) program is a more promising effort created by Congress that allows organizations to access and analyze comprehensive Medicare data for select purposes. "The QE program has the potential to empower our nation’s healthcare decision-makers to make better choices. However, current law is far too restrictive on which organizations can participate in the QE program, what QEs can do with the Medicare data once they have received it and the degree to which QEs can support their own data maintenance infrastructures," they said.

    The Quality Data, Quality Healthcare Act would allow organizations receiving Medicare data to analyze and redistribute it to authorized subscribers, such as insurers, health systems and physicians, so that subscribers can make more informed decisions. It also would permit those entities to charge a fee to their subscribers so that the organizations can conduct robust analyses to improve healthcare quality and reduce costs.

    The senators first introduced this bipartisan legislation last Congress. It is supported by a broad coalition, including: AARP, American Academy of Family Physicians, ASC Association, Health Collaborative, National Coalition on Health Care, National Association of Manufacturers, National Consumers League, National Retail Federation, Network for Regional Healthcare Improvement, Pacific Business Group on Health, and Midwest Business Group on Health.

    Access a summary of the act.

  • 11 Mar 2015 3:49 PM | Anonymous
    BCBSMA, American Well to launch video visits pilot with two physician groups

    Retrieved from mobiHealthNews   |   Aditi Pai   |   Mar 11, 2015

    Blue Cross Blue Shield of Massachusetts has partnered with American Well to pilot the company’s video visits offering, called WellConnection, with two physician groups, Emerson Physician Hospital Organization (Emerson PHO) and Lowell General Physician Hospital Organization (LGPHO). BCBSMA nurse care managers will also pilot the offering with members.

    WellConnection is a white-labeled version of American Well’s digital video visits offering that helps patients consult with physicians via their computers, smartphones, or tablets.

    The physician groups participating in the pilot are a part of BCBSMA’s Alternative Quality Contract (AQC) program, which is what the payor calls its accountable care initiative. BCBSMA launched its AQC model in 2008.

    Over the course of the two-year pilot, providers will use WellConnection to conduct video visits with patients to address a variety of health issues that are ultimately up to the discretion of the participating physicians. BCBSMA offered up a few examples: providers can use the offering to monitor a patient’s concussion recovery, offer wellness coaching, check the patient’s response to a medication, or monitor a patient’s recovery after they were hospitalized.

    BCBSMA Director of Network Innovation Greg LeGrow told MobiHealthNews that video visits have the potential to improve cost, access, quality, efficiency, as well as patient and physician satisfaction.
    "On the cost and utilizations front, we really see telemedicine having the capability to better manage cost by scheduling and shifting certain portions of care to a telemedicine or video visit," LeGrow said. "Number two is preventing potential unnecessary emergency department visits as well as shifting some of those visits to other resources. So moving it from, perhaps, a physician to physician extenders or nurse practitioners. We also think there is an ability to improve access. That’s really just providing patients with more timely, convenient, and cost affective alternatives to coming into the office."
    LeGrow added that although cost, access, and satisfaction are important,the cornerstone of Alternative Quality Contract is to improve quality and video visits will help with this, especially because, he said, this offering can help providers better manage patients’ chronic conditions, which generally require more frequent follow-ups.

    BCBSMA is encouraging providers to use this tool with all of their patients — even those who are not covered under Blue Cross — but physicians have the discretion to waive fees for their Blue Cross insured patients.
    "Not all providers might want to waive fees for Blue Cross of Mass members for every use case," LeGrow said. "If it is to a deal with a simple acute condition, such as a sinus infection, a headache, a urinary tract infection, they may still want to have that service fee and have that service fee be a governor, just like a copay does — to have the patients have some skin in the game. But for conditions where they typically don’t bring patients into the office, if they’re doing chronic condition management and following up with phone calls, they may want to do that video visit. We believe that a video visit could improve engagement with these members and in those cases they’d probably think of waving those fees."
    An early version of this pilot was first announced in July 2013, but wasn’t launched until now.
    "We have worked very hard to find the right groups who were interested and willing to participate and honestly have the right use cases put forward in order to test the efficacy of telemedicine," LeGrow explained. "So this is coming to fruition."
    When the pilot was announced, American Well CEO Dr. Roy Schoenberg said BCBSMA was one of the first payors "to embrace telehealth under the flag of improving [care] quality".

    The two practices from the Lowell General Physician Hospital Organization participating in the trial are Mill City Medical Group of Lowell and the office of Damian Folch of Chelmsford. Emerson PHO is still identifying which practices from its organization are participating.

Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact us at

join our mailing list

© Massachusetts Health Data Consortium