As we head into Congress' lame-duck session after Tuesday's midterm election, the national policy agenda for healthcare CIOs will revolve around meaningful use, cybersecurity, ICD-10 and patient safety.

[See also: Tips to help CIOs 'survive the madness']

Of most pressing concern to the College of Healthcare Information Management Executives is the start of Medicare penalties in 2015 for hospitals failing to meet meaningful use standards.

At the CHIME 2014 Fall CIO Forum, CHIME Vice President for Public Policy Jeff Smith noted that a surprisingly low number of healthcare providers had successfully achieved Stage 2 meaningful use, and called the trend "troubling."

[See also: CHIME calls for flexibility on Stage 2]

Physicians are in even worse shape than hospitals when it comes to meaningful use. "The hospitals, by comparison, are leagues ahead right now," Smith said.

Even if thousands more doctors meet and attest to Stage 2 before the end of the year, the vast majority of the more than half-million eligible providers are at risk of being penalized.

That, Smith added, means many will be calling their representatives in Congress – and about the only thing Congress knows how to do with something like meaningful use is to kill it.

"I think meaningful use has been to a degree a victim of the federal rule-making process," Smith said. However, the huge initiative is "fundamentally recalibrating" how healthcare is delivered, so it is not surprising that there have been hiccups.

A full repeal of the EHR incentive program probably is the worst-case scenario, according to Smith -- but one not likely to happen with divided government that probably will continue in President Obama's final two years in office.

"We're still engaged with CMS to try and figure out a way to make these (attestation) numbers better," said Smith.

CHIME and 47 other organizations sent a letter to HHS back in February calling for the meaningful use reporting period to be cut to 90 days from the full year in 2015, as has been the case in 2014. CMS did not budge from that full-year requirement, but did widen hardship exemptions and issued a "modifications rule" to address the fact that EHR vendors were having a hard time getting their products certified to 2014 standards.

Those moves, Smith said, proved that, "we weren't just crying wolf."

Recently, Reps. Renee Ellmers (R-N.C.) and Jim Matheson (D-Utah), introduced the Flexibility in Health IT Reporting (Flex-IT) Act, which would allow a shortened reporting period in 2015 for those who want it.

"We don't think a whole lot of folks are going to be successful if they are going to have a reporting period of 365 days," Smith said.

Whether or not Congress takes up this bill after Election Day, Smith expressed a belief that CMS already has legal authority to make the changes, but often isn't fazed by bad news such as the low MU2 numbers, so it may be hesitant to act unless forced to by Congress.

Looming on the horizon is meaningful use Stage 3. CHIME expects to see a proposal from CMS early next year and a final rule by June, assuming the Medicare agency sticks to its history of giving providers about a year and a half to get ready. Stage 3 is set to begin Oct. 1, 2016, for hospitals and Jan. 1, 2017, for physicians. With such a tight schedule, "we could be looking at the exact same situation in a couple of years, Smith said.

Meanwhile, the deadline for ICD-10 compliance is set at Oct. 1, 2015, after Congress quietly slipped a year delay into legislation designed to address the Medicare Sustainable Growth Rate, catching the health IT community off guard. CHIME was against the delay, and remains committed to getting the transition to ICD-10 finished as quickly as possible.

And ICD-10 too, at long last?

David Muntz, former former principal deputy director of the Office of the National Coordinator on Health Information Technology and now CIO of GetWellNetwork, was in the audience for the policy session. Muntz said he would like CHIME to endorse no further delays on ICD-10.

"I think it's time for CHIME to step up and shout out," Muntz said.

As for the security realm, hospitals are reeling from the high-profile disclosure of various breaches, and a presidential order to do more about health information security led to a National Institute of Standards and Technology cybersecurity framework that came out this past February.

In October, the Food and Drug Administration held a workshop focused on medical devices, but IT also came up.

"The conversation in Washington is getting more mature around cybersecurity, but there is still is a tremendous gap" in developing a response that will help without hurting, Smith said.

The Department of Homeland Security, Department of Justice and Federal Bureau of Investigation have shown interest in cybersecurity in healthcare, too. The House has already passed a bill that would provide incentives to address the threat of hackers while also promoting secure information sharing in many industries, said Leslie Krigstein, director of congressional affairs for CHIME. She added that the legislation could go before the Senate during the lame-duck session.

But it is unclear what that could mean for healthcare. "None of the cakes have been baked fully, from what we understand," Smith said.

Also worth keeping an eye out for in the new year are the final versions of the ONC interoperability roadmap and the Food and Drug Administration Safety Innovation Act (FDASIA) health IT report, a joint effort of the ONC, FDA and Federal Communications Commission. The draft version of the FDASIA report called for the creation of an ONC Patient Safety Center, but would prohibit the FDA from regulating health management or clinical software.