Meaningful Use Stage 2 criteria beginning in 2014 has included several explicit and implicit security requirements which must be met by eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) to qualify for incentive payments. Recommendations on Stage 2 criteria from the Health IT Policy Committee (HITPC), a Federal Advisory Committee that coordinates industry and provider input regarding the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs were substantially adopted, with consideration of current program data for the Medicare and Medicaid EHR Incentive Programs. Our EHR 2.0 team reviewed the entire 672 page federal register to identify the security initiatives and impact to the health care organizations.
Here’s our high-level summary:
- One of the core objectives for EP, EH and CAH to protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities requires conducting or reviewing a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.
- Rigorous expectations for health data exchange including: more demanding requirements for e-prescribing; incorporating structured laboratory results; and the expectation that providers will electronically transmit patient care summaries with each other and with the patient to support transitions in care is going to impose several security hardware and software implementation to protect sensitive patient data.
Core objective requirements: Providers are required to attest that they are protecting electronic health information. CMS estimates completion of the security analysis requires approximately 6 hours, which is identical to the earlier estimate for the Stage 1 requirement. However, this estimate assumes that covered entities are already conducting and reviewing these risk analyses under current HIPAA regulations. Therefore, additional burden associated with the conduct or review of such analyses is not accounted in the estimate. However, based on our discussions with several providers who’re planning on applying for MU incentives, there’s a very limited understanding of HIPAA/HITECH security, privacy and breach requirements. Thus, it requires a very comprehensive HIPAA/HITECH initial assessment, prioritization of gaps and reassessment. Part of HIPAA/HITECH assessment should include detailed security risk analysis and prioritization of fixing the vulnerabilities identified. OCR has published some guidance on conducting risk analysis at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Attesting yes to this objective would require providers/hospitals to conduct security risk analysis, and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that CMS specifically calls out encryption of data at rest requirements under 45 CFR 164.308(a)(1) for the meaningful use measure. CMS did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. CMS only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure. In the proposed rule, CMS is emphasizing that the discussion of this measure and 45 CFR 164.308(a)(1) is only relevant for purposes of the meaningful use requirements and is not intended to supersede what is separately required under HIPAA and other rulemaking. CMS specifically highlight the encryption/security of data that is stored in CEHRT (data at rest). The scope of the security risk analysis for purposes of this meaningful use measure applies only to data created or maintained by CEHRT. This measure does not apply to data centers that are not part of CEHRT. However, such data centers may be subject to the security requirements under 45 CFR 164.308(a)(1) and refer providers to the HIPAA Security Rule for compliance information.
The second security requirement, though not very explicit, introduces several security considerations to support other core objectives and menu set objectives which requires secure software and hardware infrastructure. Some of the key requirements that requires hardened systems are:
a) A secure message was sent using the electronic messaging function of CEHRT by more than 10 percent of unique patients seen by the EP during the EHR
reporting period secure message as any electronic communication between a provider and patient that ensures only those parties can access the communication. This
electronic message could be email or the electronic messaging function of a PHR, an online patient portal, or any other electronic means. However, CMS notes that the secure message also must use the electronic messaging function of CEHRT in order to qualify for the measure of this objective.
b) Generate and transmit permissible discharge prescriptions electronically (eRx)
c) Provide patients the ability to view online, download, and transmit information about a hospital admission
d) Capability to submit electronic data to immunization registries or immunization information systems except where prohibited, and in accordance with applicable law and practice
We would love to hear your views and comments.
EHR 2.0 will host a webinar on meanugingful use stage 2 security requirements shortly. Please sign-up to our newsletter if you want to be part of our webinar announcement.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017