The Centers for Medicare & Medicaid Services (CMS) recently announced a proposed rule for Stage 2 requirements for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of American Recovery and Reinvestment Act of 2009, eligible health care professionals (EPs), eligible hospitals and Critical Access Hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to demonstrate “meaningful use” of that technology by achieving objectives set by CMS.
CMS’ proposed stage 2 rule may be viewed here: www.ofr.gov/inspection.aspx
In this proposed rule, CMS proposes to maintain the same core and menu structure for the program for Stage 2. In Stage 2 EPs must meet or qualify for exclusion to 17 core objectives and 3 of 5 menu objectives. Eligible hospitals and CAHs must meet or qualify for exclusion to 16 core objectives and 2 of 4 menu objectives.
The specific purpose of this blog post is to share and analyze stage 2 security requirements with respect to meaningful use:
Meaningful use core objective protect electronic health information is being proposed to be changed to (proposed changes highlighted below) in stage 2:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a) (2) (iv) and 45 CFR 164.306(d) (3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
This measure is the same as in Stage 1 except that CMS specifically addresses the encryption/security of data that is stored in EHR systems (data at rest). Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. Per HHS this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices which are not encrypted.
Had these devices been encrypted, their data would have been secured. It is for these reasons that HHS specifically calls out this element of the requirements under 45 CFR 164.308(a) (1) for the meaningful use measure. It is very important to note that HHS is not proposing changes to the HIPAA Security Rule requirements, or require any more than would be required under HIPAA.
HHS only emphasizes the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.
HHS is proposing this measure because the implementation of Certified EHR Technology has privacy and security implications under 45 CFR 164.308(a) (1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process.
HHS also notes that this measure and 45 CFR 164.308(a)(1) is only relevant for purposes of the meaningful use requirements and is not intended to supersede what is separately required under HIPAA and other rulemaking. Compliance with the HIPAA requirements is not covered as part of the scope and learns more visit our HIPAA compliance section.
In addition to the proposed changes in protecting electronic health information core objective, HHS is proposing to introduce a new objective using secure electronic messaging to communicate with patients on relevant health information.
The exchange of health information through electronic messaging requires additional security measures while maintaining its ease of use for communication. While e-mail with the necessary safeguards is probably the most widely used method of electronic messaging, for the purposes of meeting this objective, secure electronic messaging could also occur through functionalities of patient portals, PHRs, or other stand-alone secure messaging applications.
Electronic messaging (for example, e-mail) is one of the most widespread methods of communication for both businesses and individuals. The inability to communicate through electronic messaging may hinder the provider-patient relationship.
The use of common email services and the security measures that may be used when they are sent may not be appropriate for the exchange of protected health information. Therefore, HHS is proposing this as a core objective for EPs for Stage 2. The expectation is the additional time made available for Stage 2 implementation makes possible the inclusion of some new objectives in the core set. HHS chose to identify objectives that address critical priorities of the country’s National Quality Strategy (NQS) (http://www.healthcare.gov/law/resources/reports/quality03212011a.html), with a focus on one for EPs and one for hospitals.
Electronic messaging is very inexpensive on a transactional basis and allows for communication even when the provider and patient are not available at the same moment in time. For EPs, secure electronic messaging is critically important to two NQS priorities–
• Ensuring that each person/family is engaged as partners in their care; and
• Promoting effective communication and coordination of care.
Secure messaging could make care more affordable by using more efficient communication vehicles when appropriate. Specifically, research demonstrates that secure messaging has been shown to improve patient adherence to treatment plans, which reduces readmission rates. Secure messaging has also been shown to increase patient satisfaction with their care. Secure messaging has been named as one of the top ranked features according to patients. Also, despite some trepidation, providers have seen a reduction in time responding to inquires and less time spent on the phone. HHS specifically seeks comment on whether there may be special concerns with this objective in regards to behavioral health.
Proposed EP Measure: A secure message was sent using the electronic messaging function of Certified EHR Technology by more than 10 percent of unique patients seen by the EP during the EHR reporting period.
To calculate the percentage, CMS and ONCE have worked together to define the following for this objective:
? Denominator: Number of unique patients seen by the EP during the EHR reporting period.
? Numerator: The number of patients in the denominator who send a secure electronic message to the EP using the electronic messaging function of Certified EHR Technology during the EHR reporting period.
? Threshold: The resulting percentage must be more than 10 percent in order for an EP to meet this measure.
Exclusion: Any EP who has no office visits during the EHR reporting period.
HHS also noted that this new measure requires action by patients in order for the EP to meet it. While this is a departure from most meaningful use measures, which are dependent solely on actions taken by the EP, we believe that requiring a measurement of patient use ensures that the EP will promote the availability and active use of secure electronic messaging by the patient. Furthermore, HHS believes that accountable care should extend to accountability for meaningful use objectives that encourage patient and family engagement. HHS invites comment on this new measure and whether EPs believe that the 10 percent threshold is too high or too low given the patient’s role in achieving it.
HHS specifies that the secure messages sent should contain relevant health information specific to the patient in order to meet the measure of this objective. HHS also indicates the EP is the best judge of what health information should be considered relevant in this context. We do not specifically include the term “relevant health information” in the measure, not because we believe that the messages sent by the patient to the healthcare provider do not need to contain relevant health information, but because we believe the provider is best equipped to determine whether such information is included.
It would be too great a burden for the certified EHR technology, or the attestation process, to determine whether the information in the secure message has such information. HHS also notes that there is an expectation that the EP would respond to electronic messages sent by the patient, although HHS does not specify the method of response or require the EP to document his or her response as a condition of meeting this measure.
To address some circumstances regarding scope of practice, HHS proposes exclusion to this objective for EPs who have no office visits during the EHR reporting period. Not having any office visits for an entire EHR reporting period indicates that there may not be a need for follow-up communication through secure electronic messaging.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017