CHIME Comments to CMS on FY 2025 IPPS Proposed Rule

Download PDF

June 10, 2024

Submitted via the Federal eRulemaking Portal: http://www.regulations.gov

Administrator Chiquita Brooks-LaSure

Centers for Medicare and Medicaid Services

7500 Security Boulevard

Baltimore, MD 21244

RE: Medicare and Medicaid Programs and the Children’s Health Insurance Program; Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long-Term Care Hospital Prospective Payment System and Policy Changes and Fiscal Year 2025 Rates; Quality Programs Requirements; and Other Policy Changes [CMS-1808-P]

Dear Administrator Brooks-LaSure:

The College of Healthcare Information Management Executives (CHIME) appreciates the opportunity to comment on the Centers for Medicare & Medicaid Services’ (CMS) hospital inpatient prospective payment system (IPPS) proposed rule for fiscal year (FY) 2025 as published on May 2, 2024 in the Federal Register (Vol. 89, No. 86).

Background

CHIME is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With over 5,000 members, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate for the effective use of information management to improve the health and healthcare in the communities they serve.

Key Recommendations

In our comments, CHIME provides responses to address the proposals included in this Notice of Proposed Rulemaking (NPRM). Specifically, we are providing comments on proposed new requirements and revision of existing requirements for eligible hospitals and critical access hospitals (CAHs) participating in the Medicare Promoting Interoperability (PI) Program. Additionally, we offer feedback and recommendations to constructively improve the final rule.

CHIME believes the following areas are especially important for CMS to consider when finalizing the provisions in this important proposed rule, and our detailed recommendations are included below:

• Proposed Changes to the Promoting Interoperability (PI) Performance Program
• Proposal to Change Scoring Methodology Beginning with the EHR Reporting Period in CY 2025
• CHIME strongly opposes raising the minimum threshold scoring threshold to 80 points at this time – and recommends a scoring threshold of 70 points.

• Clinical Quality Measurement for Eligible Hospitals and CAHs Participating in the Medicare Promoting Interoperability & Proposal to Adopt eCQMs
• CHIME is concerned that CMS’s ongoing goal to align the eCQM reporting periods and criteria in the Medicare Promoting Interoperability Program with the Hospital IQR Program is inadvertently causing significant regulatory burden.
• While we believe this goal is well-intentioned, in order to reduce the burden of aligning these programs, CHIME respectfully requests that CMS consider adding no more than one new eCQM per reporting period.

• Status of Updates to SAFER Guides
• CHIME applauds CMS for undertaking the update of the SAFER Guides; our members remain staunch champions for promoting safety and the safe use of EHRs.
• Without knowing what and how the updates to them will be, we respectfully request that CMS consider a step-wise approach (i.e., glidepath) before requiring our members to attest to the updated versions of the SAFER Guides.
• At minimum, CMS should provide an additional two-year period – without penalty – before a review and annual self-assessment of the updated SAFER Guides is required for eligible hospitals and CAHs to attest “yes” to the SAFER Guides measure.
• Eligible hospitals and CAHs have grown familiar and spent millions of dollars and hours to complete the complex process of attesting to each of the nine SAFER Guides; therefore, we recommend that CMS offer flexibility with future attestation requirements as well as an incentive for “early adopters.” It is critical that regulations do not inadvertently create overly duplicative requirements, penalize healthcare providers unfairly, and add burden.

By creating this opportunity for stakeholders to engage – especially those with the subject matter and expertise in healthcare information technology (IT) – throughout the policy development and implementation process, we believe invaluable input will be garnered.

Proposal to Change Scoring Methodology Beginning with the EHR Reporting Period in CY 2025

For the EHR reporting period in CY 2025 and subsequent years, CMS is proposing to increase the minimum scoring threshold from 60 points to 80 points. CMS’s review of the CY 2022 Medicare Promoting Interoperability Program’s performance results found 98.5 percent of eligible hospitals and CAHs (that is 97 percent of CAHs and 99 percent of eligible hospitals) that reported to the Medicare Promoting Interoperability Program successfully met the minimum threshold score of 60 points, and 81.5 percent of eligible hospitals and CAHs (that is 78 percent of CAHs and 83 percent of eligible hospitals) that reported to the Program exceeded the score of 80 points.

CHIME believes that if CMS increases the minimum scoring threshold, it should be to 70 points. As CMS indicates, nearly 20 percent of eligible hospitals and CAHs are not meeting or exceeding the score of 80 points. Further, we have heard from our members – including those that are larger, and well-resourced – that some are barely achieving 80 points (i.e., hovering at exactly 80 points), and not excessively and comfortably exceeding that threshold. Given the level of uncertainty hospitals and healthcare providers are currently facing related to financial outlook and workforce, we fear that the eligible hospitals and CAHs that CMS believes are currently meeting the minimum threshold score of 80 points, could actually be on the precipice of slipping below that threshold.

Additionally, members have voiced concern that one of the largest challenges they face in the Promoting Interoperability Program is meeting the mandatory measures which are not scored. For example, the Security Risk Analysis measure, SAFER Guides measure, and attestations required by section 106(b)(2)(B) of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), reporting of electronic Clinical Quality Measures (eCQMs), submission of level of active engagement for measures under the Public Health and Clinical Data Exchange objective – are all required, but not scored. Further, participants may spend only one EHR reporting period at the Option 1: Pre-production and Validation level per measure and must progress to Option 2: Validated Data Production level for the following EHR reporting period. If an eligible hospital or CAH fails to meet any one of these numerous mandatory measures that do not count towards their score under the Promoting Interoperability Program – they fail the Program entirely. Therefore, CHIME strongly opposes raising the minimum threshold scoring threshold to 80 points at this time – and recommends a scoring threshold of 70 points.

While we agree with CMS that adopting a higher scoring threshold can incentivize more eligible hospitals and CAHs to align their health information systems with evolving industry standards and encourage increased data exchange – we do not agree with the scoring threshold increasing by 20 points at this time. CHIME members believe that a higher scoring threshold of 70 points for the EHR reporting period in CY 2025 and subsequent years is far more feasible, and less likely to disproportionately and negatively impact a significant portion of eligible hospitals and CAHs – especially under resourced and safety-net providers.

Clinical Quality Measurement for Eligible Hospitals and CAHs Participating in the Medicare Promoting Interoperability & Proposal to Adopt eCQMs

CMS is continuing to align the electronic clinical quality measure (eCQM) reporting requirements and eCQM measure set for the Medicare Promoting Interoperability Program with similar requirements under the Hospital Inpatient Quality Reporting (IQR) Program. With respect to the Hospital IQR Program, CMS is proposing to adopt two new eCQMs for the Medicare Promoting Interoperability Program and to modify one eCQM, beginning with the CY 2026 reporting period.

While CHIME members broadly remain supportive of program alignment and eCQMs, they are concerned about the regulatory burden that the addition of new eCQMs places on them and their internal resources. eCQMs use data electronically extracted from health information technology (IT) systems to measure the quality of healthcare provided; in turn, eligible hospitals and CAHs must spend significant time and finances to build and track these measures. CHIME respectfully reminds CMS that the process of “building and tracking” of eCQMs is a major, sometimes multi-year effort. It encompasses technical, workforce, financial and legal resources. EHR systems, clinical workflows, and administrative processes often must be redesigned. Clinical and administrative staff need to be educated and retrained, and legal teams must reformulate and align contracts with their vendors.

When implementing a new eCQM, an eligible hospital and CAH is beginning a complex journey. It includes resource planning – involving identification of data elements, reporting the required eCQM data elements using internal or third-party resources, and engaging resources to pull unstructured data or data from outside the EHR.

This “journey” continues with internal preparation – including identifying workflow impacts and changes, planning for EHR changes, planning for clinical workflow changes, evaluating internal incentives and policy changes, and planning reporting capabilities to monitor compliance of workflow changes. It goes on with systems modifications – implementing EHR updates (working with internal technical teams and system vendor/s), testing the EHR changes, training clinical staff and leaders, and integration into the EHR and care delivery. There is also eCQM data submission and feedback – involving the validation of data captured, submission of data, reviewing vendor dashboards to identify improvement needs, receiving the eCQM reporting results from CMS, conducting additional analysis using CMS data (e.g., for billing analysis and value-based care), communicating the performance results to clinicians to correct gaps, conducting continuous monitoring, downloading of the eCQM annual update and reviewing of the eCQM and code set updates.

While eCQMs are designed to improve care quality and outcomes by providing valuable data for healthcare improvement, the workflow and time burden they place on clinicians highlight the need for CMS’s careful consideration before requiring them. Clinicians must spend significant time entering data into EHRs to ensure all necessary information is captured for each eCQM – which takes invaluable time away from caring for their patients. The need to input data into EHRs in real-time can lead to frequent interruptions during patient consultations, affecting the quality of patient interactions. Further, ensuring the accuracy and completeness of the data can be challenging and time-consuming, as eCQMs require detailed and specific information.

Given the above process and “journey” of building, tracking, and implementing eCQMs – CHIME members are concerned that CMS’s ongoing goal to align the eCQM reporting periods and criteria in the Medicare Promoting Interoperability Program with the Hospital IQR Program is inadvertently causing significant regulatory burden. While we believe this goal is well-intentioned, in order to reduce the burden of aligning these programs, CHIME respectfully requests that CMS consider adding no more than one new eCQM per reporting period.

Status of Updates to SAFER Guides

In this proposal, CMS notes that they received comments in the FY 2024 IPPS/LTCH PPS proposed rule recommending that they work with the Office of the National Coordinator for Health IT (ONC) to update the SAFER Guides, citing that the SAFER Guides were last updated in 2016. In our comment letter in response to last year’s proposed rule, CHIME was strongly supportive of updating the SAFER Guides, and was one of the commenters CMS indicated.

Additionally, in response to these comments, CMS noted that, while the current SAFER Guides reflect relevant and valuable guidelines for safe practices with respect to current EHR systems, they would consider exploring updates in collaboration with ONC. CMS also noted that future updates to the SAFER Guides would be provided with accompanying educational and promotional materials to notify participants, in collaboration with ONC, when available.

In our comment letter to last year’s proposed rule, CHIME noted that, according to the General Instructions for the SAFER Self-Assessment Guides from ONC – they “are based on the best evidence available at this time (2016), […] The recommended practices in the SAFER Guides are intended to be useful for all EHR users . However, every organization faces unique circumstances and will implement a particular practice differently. As a result, some of the specific examples in the SAFER Guides for recommended practices may not be applicable to every organization [emphasis added].” Therefore, we strongly opposed implementing a mandatory requirement for all eligible hospitals and CAHs to attest to all nine SAFER Guides in CY 2024. Further, we requested that there should be a delay of this proposal until CMS completes a series of recommendations – including undertaking a review the SAFER Guides to update them and reduce redundancies .

However, in the FY 2024 IPPS/LTCH PPS final rule, CMS finalized a proposal to modify the requirement for the Safety Assurance Factors for EHR Resilience (SAFER) Guides measure beginning with the EHR reporting period in CY 2024 and continuing in subsequent years, to require eligible hospitals and CAHs to attest “yes” to having conducted an annual self-assessment using all nine SAFER Guides, at any point during the calendar year in which the EHR reporting period occurs to be considered a meaningful user.

In this proposed rule, CMS is “seeking to make readers aware that efforts to update the SAFER Guides are currently underway.” CHIME applauds CMS for undertaking the update of the SAFER Guides; our members remain staunch champions for promoting safety and the safe use of EHRs.

CMS anticipates that updated versions of the SAFER Guides may become available as early as CY 2025, and they would consider proposing a change to the SAFER Guides measure for the EHR reporting period beginning in CY 2026 to permit use of an updated version of the SAFER Guides at that time. While we are appreciative that CMS is updating the SAFER Guides, and believe it is a positive step – we are concerned that the above timeline and uncertainty could present challenges for our members.

As CMS stated in the FY 2024 IPPS/LTCH PPS final rule:

With regard to the estimated annual costs associated with the proposal, […] we acknowledge that while an upfront investment of resources and staff time may be needed to conduct a SAFER Guides self-assessment, we believe the cost is outweighed by the potential for improved healthcare outcomes, increased efficiency, reduced risk of data breaches and ransomware attacks, [emphasis added] and decreased malpractice premiums.

CHIME also urges CMS to take into consideration the increasingly complex cybersecurity landscape hospitals and health systems must navigate and urge the agency to reconsider the timeline CMS has established for eligible hospitals and CAHs to attest to all nine SAFER Guides. Hospitals are spending an increasing amount of time, energy and resources navigating this highly challenging and evolving environment, which is an issue we have identified in several previous comment letters and during conversations with CMS. This year has already proven to be incredibly challenging following the Change Healthcare cyberattack.

On February 21, 2024, an unprecedented cyberattack on Change Healthcare, a unit of UnitedHealth Group (UHG) became known, and the concerns among our members have mounted related to what could – from all indications – amount to the largest breach of the healthcare sector. Change Healthcare processes claims on behalf of hundreds of thousands of clinicians and providers, and several terabytes of possibly protected health information (PHI) are alleged to have been stolen and held for ransom. Providers affected by this breach are so numerous that a specific number is not readily available.

Hostile nation states have grown increasingly aggressive with their tactics, attacking hospitals and other healthcare stakeholders daily. Bringing down a hospital or multiple healthcare delivery organizations (HDOs) at once is a risk for the nation and it shakes the confidence and trust of everyday Americans which is precisely what hostile nation states intend. They are looking to exact both physical, financial, and psychological harm.

Healthcare data and patient information remain lucrative targets for theft and exploitation, particularly through ransomware attacks. Criminal groups and adversarial nation states utilize tactics, techniques and procedures across our Sector – including attacking large, publicly traded companies with far greater resources than most U.S. hospitals and health systems. The overall privacy and cybersecurity landscape has become infinitely more complex for all providers. Cybersecurity attacks are on the rise for providers of all sizes which pose a direct threat to patient safety.

The costs to recover from a data breach in the HPH Sector are staggering – averaging $10 million per incident, which is far higher than any other sector. As a comparison, the costs for a financial entity to recover from a breach are estimated to be $6 million. The fallout after an attack has also been shown to impact patient care – one report found that nearly a quarter of organizations suffering a cyber breach experience higher patient mortality rates. In short, cybersecurity is now also patient safety.

Cybersecurity challenges and threats that our members are facing are what those who have been active in the cybersecurity landscape have known for years – healthcare is under constant threat and more resources are needed for healthcare providers.

As CMS noted in the FY 2024 IPPS/LTCH PPS final rule: “Using the cost to complete all nine self-assessments […] we estimate all 4,500 eligible hospitals and CAHs would require between 20,250 hours […] and 247,500 hours […] at a cost between $8,916,278 […] and $108,976,725 […] to attest “yes” to the measure.” CMS continues: “While the cost to conduct a SAFER Guides self-assessment can be high, we believe the cost is outweighed by the potential for improved healthcare outcomes, increased efficiency, reduced risk of data breaches and ransomware attacks, and decreased malpractice premiums.”

Eligible hospitals and CAHs are spending between nearly $9 million and up to nearly $110 million dollars to conduct the SAFER Guides self-assessment and attest “yes” to the measure. These are precious dollars and resources that could be going to investments to enhance hospital and healthcare systems’ cybersecurity posture and safeguard patient care and patient data. Any investment in cybersecurity for the healthcare sector will be an investment not just in patient safety – but also national security.

CHIME members, even those that are larger and have more resources than most other hospitals and healthcare systems, shared that they found the requirement to perform a self-assessment using all nine SAFER Guides with one “yes/no” attestation statement to be a massive, onerous and financially burdensome undertaking. This remains an extremely concerning indication, especially for our members that are under-resourced, rural, facing workforce shortages and burnout – all while serving the most vulnerable patients.

In this proposal, CMS is encouraging “eligible hospitals and CAHs to become familiar with the updated versions of the SAFER Guides when they become available and consider them as they implement appropriate EHR safety practices.” Hospitals and healthcare systems have grown familiar with the current SAFER Guides and spent countless hours and millions of dollars complying with conducting these self-assessments. Without knowing what and how the updates to them will be, we respectfully request that CMS consider a step-wise approach (i.e., glidepath) before requiring eligible hospitals and CAHs to attest to the updated versions of the SAFER Guides.

Further, in the FY 2024 IPPS/LTCH PPS final rule, CMS stated:

We understand that the initial self-assessment is the most time-consuming, and self-assessments may be less burdensome in subsequent years [emphasis added]. We offered eligible hospitals and CAHs a two-year period to begin the process, without penalty for not being able to complete the self-assessments. Additionally, this two-year period without penalty offered eligible hospitals and CAHs time to review available resources, work with staff and vendors on establishing an annual review process, where they would not be penalized for not having completed the self-assessments.

At minimum, CMS should provide an additional two-year period – without penalty – before a review and annual self-assessment of the updated SAFER Guides is required for eligible hospitals and CAHs to attest “yes” to the SAFER Guides measure.

After that time, CMS could allow eligible hospitals and CAHs to self-select and attest “yes/no” for a self-assessment of three SAFER Guides over a three-year period – if there are still a total of nine SAFER Guides – and especially if there are more than nine. Further, CMS should consider offering an incentive for eligible hospitals and CAHs who use the updated version of the SAFER Guides as soon as they are available.

Currently, the SAFER Guides measure is required but will not be scored. The points associated with the required measures sum to 100 points, and reporting one of the optional measures under the Public Health and Clinical Data Exchange Objective adds an additional 5 bonus points. The scores for each of the measures are added together to calculate a total score of up to 100 possible points for each eligible hospital or CAH.

CMS could offer hospitals ways to earn additional points as part of the Medicare Promoting Interoperability Program if they are taking steps toward using the updated SAFER Guides when they are revised and released. Given that CMS can update its incentives annually to promote interoperability, the agency could create a new/additional objective and measure for “early adoption” of the updated SAFER Guides within the Medicare Promoting Interoperability Program to give eligible hospitals and CAHs the opportunity to earn bonus points, for example.

As CMS considers future changes to the Promoting Interoperability Program, the agency should take steps to encourage eligible hospitals and CAHs that make demonstrable improvements (i.e., self-attesting of the updated SAFER Guides) in this measure, as it is intended for eligible hospitals and CAHs to regularly assess their progress and status on important facets of patient safety. As CMS noted in the FY IPPS/LTCH PPS Final Rule regarding the SAFER Guides, the agency’s “larger focus is for eligible hospitals and CAHs to regularly assess their progress and status on important facets of patient safety.”

CHIME members remain steadfast in their commitment to being partners with their patients to facilitate greater – and safer – interoperability. Eligible hospitals and CAHs have spent millions of dollars to complete the complex process of attesting to each of the nine SAFER Guides; therefore, we recommend that CMS offer flexibility with future attestation requirements as well as an incentive for “early adopters.” It is critical that regulations do not inadvertently create overly duplicative requirements, penalize healthcare providers unfairly, and add burden.

We respectfully request that CMS thoroughly consider any policies that would significantly reduce the considerable time providers must spend navigating these regulatory changes and their rapidly evolving requirements. Additionally, we recommend rewarding those who exceed expectations and adapt early and effectively to these changes. Without any significant reduction in burden on clinicians across the care continuum, the current urgent clinician burnout and workforce shortage that our country is facing will continue to grow. Our members are dedicated to best practices in EHR implementation, prioritizing safety and effectiveness. They take their responsibility to protect the privacy, security, and accuracy of patient data – and, most importantly, the overall safety and well-being of their patients – very seriously.

Conclusion

CHIME respectfully requests that CMS take our comments on the Promoting Interoperability Program into consideration. CHIME and our members remain committed to the successful implementation of the Program, with strong and meaningful data exchanges. Understanding the long-term ramifications of these proposed policies is critical, and CHIME urges CMS to ensure these proposals do not inadvertently pass down burden onto healthcare providers and systems.

As discussed in detail above, CHIME has several recommendations and concerns regarding the proposed changes to the scoring methodology and regulatory requirements. Firstly, CHIME strongly opposes raising the minimum scoring threshold to 80 points for the EHR Reporting Period in CY 2025 and instead recommends a threshold of 70 points. Additionally, CHIME is concerned that CMS’s efforts to align the eCQM reporting periods and criteria in the Medicare Promoting Interoperability Program with the Hospital IQR Program are inadvertently increasing regulatory burden. To mitigate this, CHIME suggests that CMS limit the addition to no more than one new eCQM per reporting period.

Regarding the currently ongoing updates to the SAFER Guides, CHIME appreciates CMS's efforts; however, we request the agency take a step-wise approach before requiring eligible hospitals and CAHs to attest to the updated versions. We also propose a minimum two-year grace period without penalties and advocate for flexibility in future attestation requirements to avoid excessive duplication and unfair penalties. We cannot stress enough the importance of reducing burden on healthcare providers while promoting safety and effective use of EHRs.

CHIME members are executives and senior healthcare IT leaders; thus, we are offering to continue to serve as a resource to CMS as they refine the SAFER Guides and continue towards the goal of enabling providers to make improvements to safety and safe use of EHRs as necessary over time – which CHIME members staunchly support. Our comments are not intended to be censorious – we wish to work with CMS as partners and share the goal of strongly promoting safety and the safe use of EHRs. However, we believe that it needs to be done judiciously, with a stepwise approach.

In closing, we would like to thank you for providing the opportunity to comment and CHIME appreciates the chance to help inform the important work being done by CMS. We look forward to continuing to be a trusted stakeholder and resource to CMS and continuing to deepen the long-standing relationship we have shared. Working together through the rulemaking process, such as with the IPPS, is just one way we can accomplish our shared goals and make meaningful changes in healthcare.

Should you have any questions or if we can be of assistance, please contact Chelsea Arnone, Director, Federal Affairs at [email protected] .

Sincerely,

Russell P. Branzell, CHCIO, LCHIME | President and CEO | CHIME