Archive for Meaningful use
By Andrea Kraynak, CPC
akraynak@hcpro.com
The Chicago-based Certification Commission for Health Information Technology (CCHIT), and the Drummond Group Inc. (DGI) of Austin, TX are the first official certifiers of EHR technology, HHS announced August 30.
Healthcare providers and vendors can begin to seek certification for their EHR systems and technologies now that the Office of the National Coordinator for Health Information Technology (ONC) has named the first two authorized testing and certification bodies (ATCB). Providers must be using certified EHR technology to qualify for meaningful use incentive payments.
“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” David Blumenthal, MD, national coordinator for Health Information Technology, said in the press release. “This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”
Additional ATCBs may still be named, but in the meantime, the industry can begin lining up to have their EHRs tested and hopefully certified in time for the first round of incentive payments targeted for May 2011. Naming the bodies is one step, Blumenthal said. But actually certifying multiple vendors’ systems is another. He notes, however, that the health IT initiative “is on an aggressive schedule to meet the urgent targets set by Congress and the President.”
In the meantime, CMS is creating an online system for providers to register and attest to meaningful use for qualify for the programs, according to the press release.
To learn more about the initial ONC-ATCBs, visit their websites at www.cchit.org and www.drummondgroup.com. More information on the EHR incentive program is available at http://healthit.hhs.gov/certification.
HIPAA privacy and security concerns with the government’s EHR certification program are so great that hundreds of practitioners have called for the program’s cancellation, the Department of Health & Human Services (HHS) announced in its final rule on meaningful use released Tuesday.
It hasn’t happened, of course.
The final rule, issued through the Centers for Medicare & Medicaid Services (CMS), defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.
HHS released a second final rule the same day, through the Office of the National Coordinator for Health Information Technology (ONC). It establishes an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.
Through its technology standards final rule, HHS addresses privacy and security concerns by requiring organizations to perform risk analyses and correct security deficiencies and by requiring the EHR technology to include among other security functions:
- Encryption capabilities
- Auditing capabilities including read-only access to patient records
- Automatic log-off capabilities
- File and message integrity checking
“It’s good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information,” said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. “Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they’ll be used.”
Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. “It will still be up to the eligible provider to implement the security technologies in a reasonable manner,” she says.
In all, Borten calls the security standards in the EHR certification program “all good security controls.”
“Most are basic and have been required by the security rule since 2005 (like unique user IDs),” she adds. “Some that are ‘addressable’ in the security rule are required to be built into the EHR technology such as automatic logoff.”
Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.
“The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information,” Verdugo said in an e-mail to HealthLeaders Media when asked about providers’ concerns with privacy and security. “While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas.”
by Dom Nicastro
The Department of Health and Human Services (HHS) softened some of its proposed requirements for healthcare entities to become meaningful users of electronic health records (EHRs) in a final rule released today.
The final rule—issued through the Centers for Medicare & Medicaid Services (CMS)—defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.
The later phases will be governed by different rules. HHS did not release the expected published dates of those rules.
HHS also released today a final rule—through the Office of the National Coordinator for Health Information Technology (ONC)—establishing an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.
The rules went public despite “hundreds” of comments that called for a cancellation of the EHR incentive program due to privacy and security risks involved with the technology, according to the CMS final rule.
“This seems like a significant pushback because on some level this represents a concern which represents to some degree the willingness of these commenters to leave money on the table given the privacy and security risks involved,” said Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ.
Differences between the proposed, finalized rules
During a press briefing this morning, David Blumenthal, MD, MPP, national coordinator for health information technology, said his department received more than 2,000 comments from the January 2010 proposed rule on meaningful use.
The comments resulted in fewer core objectives that clinicians and hospitals must meet in the first two years of available meaningful use incentives. HHS had proposed 23 objectives for hospitals and 25 for clinicians, Blumenthal said, and many commenters felt it was an “all or nothing approach.”
The final rule changes that, dividing the objectives into two sets: a core set of objectives and an additional set. Of the additional objectives, providers must maintain only some of them during the initial phase from 2011–2012. This allows providers to then choose which ones they will push to the phase after 2012. (See the two sets of objectives in this table from the New England Journal of Medicine).
“This gives providers latitude to pick their own path toward full EHR implementation and meaningful use,” according to a statement from HHS.
Other notable changes in the final rule include:
- A decrease in the percentage of prescriptions to be prescribed electronically, from 75% to 40%
- An increase in the time period allowed to provide patients with a copy of their EHR, from 48 hours to three business days
- A requirement that hospitals and clinicians conduct or review a security risk analysis of the certified EHR technology and implement security updates and correct deficiencies as part of their risk management process
- Two added objectives for eligible providers (EP) and eligible hospitals, in accordance with recommendations from the Health Information Technology Policy Committee:
- Identify and provide condition-specific patient education resources
- Record advance directives for patients 65 years of age and older
- A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, pursuant to the Continuing Extension Act of 2010
- Inclusion of critical access hospitals within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid
Next steps for eligible hospitals and EPs
Ruelas said that entities will likely need to revisit their policies to differentiate the timelines associated with requests for electronic copies of patients’ health information versus those for hardcopies.
HHS also clarified that only information that an eligible hospital or clinician has available electronically must be provided to the patient—not all paper records.
Blumenthal called the criteria “ambitious but achievable” in striding toward President Obama’s goal of all entities moving to EHRs by 2014.
Each clinician is eligible for up to $44,000 through Medicare and $63,750 through Medicaid as incentives for achieving meaningful use.
The American Health Information Management Association (AHIMA) said paper records fail to meet the demands of today’s healthcare decision-making, and it is “ready to ensure the proper implementation of electronic health records.”
“With this last hurdle behind us, the health information management profession can move forward with final preparations for implementation,” Rita K. Bowen, president of AHIMA’s board of directors, said in a statement.
Today’s final rules are the third and fourth in a series of rules released in the past month under HITECH. ONC published a final rule June 24 establishing a temporary certification program for health information technology. The Office for Civil Rights (OCR), enforcer of the HIPAA privacy and security rules, released a proposed rule July 8 that would strengthen and expand privacy, security, and enforcement protections under HIPAA.
Editor’s note: For more information, visit the HHS website.
A CMS/ONC fact sheet on the rules is available at http://www.cms.gov/EHRIncentivePrograms/.
A technical fact sheet on ONC’s standards and certification criteria final rule is available at http://healthit.hhs.gov/standardsandcertification.
The Office of the National Coordinator for Health Information Technology today released the EHR certification final rule, which outlines the program that certifies hospitals are meeting EHR “meaningful use” requirements in order to obtain incentive dollars.
This final rule establishes a temporary certification program for the purposes of testing and certifying health information technology.
A privacy/security workgroup for the Office of the National Coordinator for Health Information Technology (ONC) reported last month that encryption should be mandatory for one-on-one exchanges between providers regarding treatments.
The workgroup of the monthly HIT Policy Committee in its May 19 meeting suggested that those exchanges should include:
- Encryption (no ability for facilitator to access content)
- Encryption ideally should be required when potential for transmitted data to be exposed (mandate through meaningful use/certification criteria or HIPAA Security Rule modification)
- Limits on identifiable (or potentially identifiable) information in the message
- Identification and authentication
“I’d say it’s long overdue,” says Kate Borten, CISSP, CISM, president of The Marblehead Group. “Recall that the proposed security rule in 1998–that’s 12 years ago–required that PHI be encrypted over the Internet. While there may have been a legitimate argument then that solutions weren’t readily available and cost effective, there are solutions today.”
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, says the recommendation was inevitable.
“It is merely recognition of what has become an industry best practice,” Parmigiani says.
Encryption is not mandatory.
It is “addressable” under the HIPAA Security Rule. And the Department of Health and Human Services’ interim final rule on breach notification creates a “safe harbor” for unsecured protected health information (PHI) that is encrypted by certain standards; in other words, covered entities and business associates (BAs) do not need to notify individuals on breaches involving such encrypted PHI.
If the workgroup’s recommendation comes to fruition, it would “uncomplicate the situation that many healthcare organizations have been confronted with when trying to decide on encryption,” Parmigiani says.
Back when the security rule was proposed in 1998, then finalized in 2003, encryption technology was immature, Parmigiani says.
Now, however, there have been “inroads in the understanding of encryption,” he says, and widespread use of software and hardware encryption.
“Therefore, I believe that the formal recommendation is both timely and an essential component of successful HIT and is critical to the attainment of consumer confidence in a fully robust EHR and smoothly functioning HIE environment,” Parmigiani says.
The privacy/security workgroup provides input to the Health IT Committee as it sets the ground rules for the criteria of “meaningful use” of EHRs.
CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) December 30 released two anxiously-awaited regulations providing both the definition of “meaningful use” for EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians.
Currently, the ONC interim final rule, “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology,” requires that EHR systems be capable of encryption.
Final rules on the ONC interim final rule and CMS proposed rules are expected this spring. However, the interim final rule is in effect.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here