WEDI comments address No Surprises Act, cyber incident reporting
Organization renews call for delays in implementing NSA, and it calls for change in defining ransomware attacks as data breaches.
The Workgroup for Electronic Data Interchange last week submitted comments to two federal agencies, focusing on the No Surprises Act and to a request for information on cyber incident reporting.
WEDI has issued a string of concerns about the No Surprises Act, and in its latest letter to the departments of labor and the Health and Human Services, and the Office of Personnel Management, the industry group centered its comments around the advanced explanation of benefits and good faith estimate of the cost of medical services, which the No Surprises Act contains.
The No Surprises Act requires that uninsured, self-pay, and commercially insured individuals get good faith estimate (GFE) of the cost of medical service. When care involves multiple providers or facilities, a “convening provider or facility” is responsible to contact other providers or facilities, or co-providers, that may be involved, compiling the GFEs and giving them to the individual.
No Surprises Act concerns
WEDI’s comments ask the departments and OPM to “explore opportunities to decrease the expected administrative burden associated with the data exchange requirements and develop an implementation glidepath that best meets the needs of providers, facilities, health plans and the patients they serve.”
Achieving the information exchange necessary for compiling accurate good faith estimates is complicated by the fact that “there are currently no standards and no established provider, facility and health plan automated workflows for AEOBs or GFEs,” WEDI’s comments note. “Absent these standards and workflows, we have significant concerns” about how regulation requirements can be met.”
The departments’ RFI asks for feedback on the potential to use FHIR-based APIs for real-time exchange, but WEDI contends that it is “difficult to answer without (having) the business requirements of the AEOB and GFE better specified.”
WEDI’s letter also raises concerns about privacy and security of protected health information; GFE capabilities’ inclusion as part of EHR certification; capabilities of small and rural providers to meet requirements; and the need for a staged approach to enable full and reasonable adoption of the regulations.
Other industry organizations have voiced concerns about the implementation of the act. For example, the American Hospital Association and American Medical Association have filed a brief in support of a lawsuit over the independent dispute resolution process for determining payments to out-of-network providers. Objections to these provisions have also been raised by the House Ways and Means committee, saying that the dispute resolution process doesn’t follow the letter or intent of the law.
Cyber incident reporting, ransomware
In addition, last week WEDI submitted a response to the Cybersecurity Infrastructure and Security Agency (CISA) “Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022.”
In its response, WEDI offers suggestions on how best to develop a cyber incident reporting program and general recommendations on addressing ransomware attacks. WEDI urges the adoption of an incident reporting process “that both meets the needs of a wide array of stakeholder types and is streamlined in such a way that does not overly burden those entities reporting a cyber incident.”
It urges recognition of the challenges faced by smaller entities in reporting; simplifying the reporting process that can be web-based; creating sample reports to exemplify what to provide; permitting the reporting of supplemental reporting; establishing a secure reporting environment that protects reported data; and more.
The WEDI comment highlights the danger of ransomware, particularly to small providers, and the need to disengage such attacks from being labeled as data breaches.
“This equating of ransomware with a traditional breach of protected health information (PHI) is inappropriate,” WEDI contends. “It is unreasonable and counter-productive for an entity to be penalized by the federal government for a ransomware attack that is beyond their control. We are concerned that the threat of punitive measures being imposed by the federal government following a ransomware attack could act as a deterrent against reporting the event.
“We strongly recommend the federal government institute a policy to establish that ransomware is not considered a data breach when the covered entity has deployed a recognized security program and when no PHI has been accessed,” WEDI concludes. “Should no breach of the data occur that results in data being accessed by unauthorized entities and the covered entity be found to have a made good-faith effort to deploy a recognized security program and instituted security policies and procedures, the covered entity should not be deemed to have experienced a data breach.”