Archive for December, 2009
With the release yesterday of its “meaningful use” definition and standards, government agencies have laid the foundation for an “evolutionary process in achieving and maintaining the meaningful use of certified EHR technology,” says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ.
CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) on Wednesday, December 30, released two anxiously-awaited regulations providing both the definition of “meaningful use” of electronic health records (EHRs) and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians.
“Both regulations are important in their own right, but they should be seen as part of a larger effort—a more comprehensive effort—to improve the health of the American people and the efficiency of its health system by equipping physicians, hospitals, and other health professionals with the best, most accurate, and most up-to-date information that they need and can use to help their patients, ” said David Blumenthal, MD, national coordinator for health information technology, at a briefing late Wednesday.
Ruelas cites the identification of three stages, each with its own set of objectives that support the meaningful use of an EHR. Providers can be eligible for thousands of dollars if they meet the criteria included in the three stages.
The initial set of criteria will focus on collecting data electronically, sharing this data with other healthcare providers and patients, and finally reporting the measures to the government. The second stage of criteria would be proposed by the end of 2011. This will focus on structured information exchange and continuous quality improvement. Stage 3, which will focus on decision support for “national high priority conditions” and population health, would come out in 2013.
For example, physicians must use computerized provider order entries (CPOEs) for 80% of their orders; hospitals 10%, according to CMS’ proposed rule.
“This was a very novel approach, in my opinion, because as is stressed in this document, the adoption of certified EHR technology and its meaningful use is more of a process to be developed and adopted over time versus an on/off proposition,” Ruelas says. “Oftentimes, people will use the phrase that some processes are more like running a marathon than a sprint. This interim rule certainly gives the impression that we going to be in a marathon mode.”
The ONC interim final rule begins to define standard formats for clinical summaries and prescriptions; standard terms to describe clinical problems, procedures, laboratory tests, medications and allergies; and standards for the secure transportation of this information using the Internet.
The American Recovery and Reinvestment Act of 2009 required HHS to adopt an initial set of standards for EHR technology by December 31, 2009. This regulation will go into effect 30 days after publication in the Federal Register, with an opportunity for public comment over the next 60 days. A final rule will be issued in 2010.
Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, which specializes in EHR adoption, says she is impressed ONC followed recommendations of its advisory committees, “so there are no major surprises.” At the same time, she says, it incorporated “staging that recognizes the immense work ahead.”
“I am also pleased to see,” Amatayakul adds, “that federal resources are being put to workforce training, research, best practices, extension centers, no- and low-cost loan programs, and other help, especially centering on workflow and process issues that, other than cost, are the biggest hurdles to gaining adoption by physicians and other clinicians.”
Ruelas says the certification standards also included encryption of patient information flowing over networks, a best practice in protecting PHI.
“As a result, it is expected that this will increase the use of encryption which will promote patient privacy within HIPAA as well,” Ruelas says.
When developing its standards and criteria, the government considered requirements that have been introduced already—such as ePrescribing, HIPAA security and privacy safeguarding of PHI, and the HIPAA transaction code sets.
Providers can become “meaningful users” of certified EHR technology through various methods, according to the standards described this week. It cited how a provider could either obtain a complete system or could put together a complete system composed of modules from different vendors, Ruelas says.
CMS’ proposed rule defining meaningful use for the Medicare EHR incentive programs would apply to eligible professionals participating in the Medicare fee-for-service and the Medicare Advantage EHR incentive programs. CMS also provides a definition that would apply to eligible hospitals and critical access hospitals.
CMS will provide a 60-day comment period on the proposed rule after the rule is published in the Federal Register in January.
We’ve started to notice more records requests with electronic patient signatures, the latest one a “voice signature.” We have always had patients (hand) sign an authorization for release of records. Are these new electronic or voice signatures valid as well?
Just a note, the electronic signature records requests are coming from outside companies that deal, for example, with records for life insurance companies. I tried researching the latest one we received, but feel I’m getting no where. It references the Federal Electronic Signature status, Title 15, U.S.C., Chap. 96, Sec. 7001, es. seq.
The U.S. Supreme Court’s involvement next year on a privacy case regarding text-messaging on work cell phones in the public sector could have implications for private companies like hospitals, experts told HIPAA Update.
The case involves text messages sent by members of a California police department—some of which were sexual in nature, according to The Tennessean—and whether or not the employees should have had a “reasonable expectation of privacy” through work cell phone use.
HIPAA privacy and security officers juggle compliance headaches each day because of text-messaging on work phones. Experts told HIPAA Update the California case serves as a good reminder for covered entities to treat cell phones and texting as they would any other device that includes protected health information (PHI):
- Use appropriate safeguards to avoid breaches
- Know HIPAA’s privacy and security rule
- Consider a policy that prohibits personal text messages on work phones
- Be clear that work devices alone do not guarantee the user’s privacy
“If text messaging is allowed, it will need to be encrypted and only be sent and received by people with a ‘need to know’ and within minimum necessary guidelines,” says John C. Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD.
Organizations must have “comprehensive, feasible, and well-written information on security and privacy policies, along with regular training and ongoing awareness communications,” says Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, an information privacy, security and compliance consultant, author and instructor for out of Rebecca Herold & Associates, LLC, in Des Moines, IA.
“Even though this case is specific to government agencies,” Herold adds, “the ruling will likely still be used as an example for all types of organizations with regard to what personnel can reasonably expect with regard to privacy of electronic communications, not only on equipment and systems owned by the organization, but also for non-company-owned equipment that is used for business purposes.”
Herold says compliance boils down to a hospital’s policy and training programs.
“Hospitals should ensure their policies cover the use of organization-owned computing equipment for non-work purposes, along with using non-organization-owned equipment used for business purposes,” Herold says, “and ensure their training and ongoing awareness communications effectively educate their personnel about the requirements and their responsibilities.”
Texting is “fairly common” between physicians when communicating about a patient, says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.
Apgar says he likens text messages sent from company-owned phones to e-mail messages sent via the company’s e-mail system.
“In both cases, the employer [covered entity or not] owns the device and, as it has been determined in the past with e-mail, I believe the same legal principle will hold true with text messages—the employer ‘owns’ the text messages, whether they are work related or not,” Apgar says. “The moral of the story is if an employee wishes to send a personal text, he or she should use his or her own mobile device and then, like Web messaging, the text message becomes ‘personal property’ of the employee or the sender.”
Q. What auditing and documentation is necessary to demonstrate HIPAA compliance?
A. The HIPAA security rule requires covered entities to conduct four types of audits. Three are periodic and one is annual. The periodic audits include an information systems activity review, user login monitoring, and audit log review (from systems, databases, etc., for storage, use, and disclosure of PHI). The annual audit is called an evaluation and is more commonly known as a compliance audit.
Documentation is a primary requirement of demonstrating HIPAA compliance. Documentation includes retaining written or electronic results of a risk analysis, documenting the results of an audit, developing and implementing comprehensive privacy and security policies and procedures, and documenting staff training and security incident responses.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
HCPro, Inc., hosted an audio conference, “HIPAA Internal Sanctions: Adapt Your Policy to Comply with the HITECH Act,” Thursday, December 3. Each speaker shares a tip on forming your internal sanctions policy:
Nancy Davis, privacy/security officer, Ministry Health Care, Sturgeon Bay, WI: I would stress that the development of written guidance to address the severity of the incident and the appropriate sanction level goes a long way in promoting consistency when applying HIPAA sanctions to all members of the work force.
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer, St. Dominic Jackson Memorial Hospital, Jackson, MS: Be ever-vigilant in watching for new developments in the year to come; and be flexible when revising existing policies and procedures so that you not only meet the obligations of the current language revisions, but you are also able to quickly address any additional additions, deletions, or changes to your policies to comply with these ever-changing regulations.
Editor’s note: The audio conference is now available for purchase on CD-ROM or audio on-demand by going here. For more information on HCPro, Inc.’s HIPAA compliance products, go to our Health Information Management page.