HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for Meaningful use

Yet another reason to conduct a security risk analysis and consider encrypting your health information—meaningful use Stage 2 requirements tell you to.

CMS in its final rule governing qualifications for incentives during the second stage of the meaningful use of EHRs program calls for entities to “conduct or review a security risk analysis” in accordance with requirements under the HIPAA Security Rule.

Specifically, the final rule points to the HIPAA Security Rule subpart:

  • 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in certified EHR technology (CEHRT) in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)

Further, entities qualifying for incentives in Stage 2 must implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process, according to the final rule.

CMS made a change in the final rule to the language of “data at rest” to specify its intention of data that is stored in CEHRT.

“Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis,” CMS wrote in the final rule. “We agree that this is an area of security that appears to need specific focus.”

CMS reported that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured, CMS added.

“It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure,” according to the final rule. “We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information (ePHI) as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

Categories : EHRs, Meaningful use
Comments (0)

By Andrea Kraynak, CPC

The Chicago-based Certification Commission for Health Information Technology (CCHIT), and the Drummond Group Inc. (DGI) of Austin, TX are the first official certifiers of EHR technology, HHS announced August 30.

Healthcare providers and vendors can begin to seek certification for their EHR systems and technologies now that the Office of the National Coordinator for Health Information Technology (ONC) has named the first two authorized testing and certification bodies (ATCB). Providers must be using certified EHR technology to qualify for meaningful use incentive payments.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” David Blumenthal, MD, national coordinator for Health Information Technology, said in the press release. “This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”

Additional ATCBs may still be named, but in the meantime, the industry can begin lining up to have their EHRs tested and hopefully certified in time for the first round of incentive payments targeted for May 2011. Naming the bodies is one step, Blumenthal said. But actually certifying multiple vendors’ systems is another. He notes, however, that the health IT initiative “is on an aggressive schedule to meet the urgent targets set by Congress and the President.”

In the meantime, CMS is creating an online system for providers to register and attest to meaningful use for qualify for the programs, according to the press release.

To learn more about the initial ONC-ATCBs, visit their websites at www.cchit.org and www.drummondgroup.com. More information on the EHR incentive program is available at http://healthit.hhs.gov/certification.

Categories : EHRs, Meaningful use
Comments (0)

HIPAA privacy and security concerns with the government’s EHR certification program are so great that hundreds of practitioners have called for the program’s cancellation, the Department of Health & Human Services (HHS) announced in its final rule on meaningful use released Tuesday.

It hasn’t happened, of course.

The final rule, issued through the Centers for Medicare & Medicaid Services (CMS), defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.

HHS released a second final rule the same day, through the Office of the National Coordinator for Health Information Technology (ONC). It establishes an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.

Through its technology standards final rule, HHS addresses privacy and security concerns by requiring organizations to perform risk analyses and correct security deficiencies and by requiring the EHR technology to include among other security functions:

  • Encryption capabilities
  • Auditing capabilities including read-only access to patient records
  • Automatic log-off capabilities
  • File and message integrity checking

“It’s good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information,” said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. “Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they’ll be used.”

Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. “It will still be up to the eligible provider to implement the security technologies in a reasonable manner,” she says.

In all, Borten calls the security standards in the EHR certification program “all good security controls.”

“Most are basic and have been required by the security rule since 2005 (like unique user IDs),” she adds. “Some that are ‘addressable’ in the security rule are required to be built into the EHR technology such as automatic logoff.”

Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.

“The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information,” Verdugo said in an e-mail to HealthLeaders Media when asked about providers’ concerns with privacy and security. “While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas.”

by Dom Nicastro

The Department of Health and Human Services (HHS) softened some of its proposed requirements for healthcare entities to become meaningful users of electronic health records (EHRs) in a final rule released today.

The final rule—issued through the Centers for Medicare & Medicaid Services (CMS)—defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.

The later phases will be governed by different rules. HHS did not release the expected published dates of those rules.

HHS also released today a final rule—through the Office of the National Coordinator for Health Information Technology (ONC)—establishing an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.

The rules went public despite “hundreds” of comments that called for a cancellation of the EHR incentive program due to privacy and security risks involved with the technology, according to the CMS final rule.

“This seems like a significant pushback because on some level this represents a concern which represents to some degree the willingness of these commenters to leave money on the table given the privacy and security risks involved,” said Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ.

Differences between the proposed, finalized rules

During a press briefing this morning, David Blumenthal, MD, MPP, national coordinator for health information technology, said his department received more than 2,000 comments from the January 2010 proposed rule on meaningful use.

The comments resulted in fewer core objectives that clinicians and hospitals must meet in the first two years of available meaningful use incentives. HHS had proposed 23 objectives for hospitals and 25 for clinicians, Blumenthal said, and many commenters felt it was an “all or nothing approach.”

The final rule changes that, dividing the objectives into two sets: a core set of objectives and an additional set. Of the additional objectives, providers must maintain only some of them during the initial phase from 2011–2012. This allows providers to then choose which ones they will push to the phase after 2012. (See the two sets of objectives in this table from the New England Journal of Medicine).

“This gives providers latitude to pick their own path toward full EHR implementation and meaningful use,” according to a statement from HHS.

Other notable changes in the final rule include:

  • A decrease in the percentage of prescriptions to be prescribed electronically, from 75% to 40%
  • An increase in the time period allowed to provide patients with a copy of their EHR, from 48 hours to three business days
  • A requirement that hospitals and clinicians conduct or review a security risk analysis of the certified EHR technology and implement security updates and correct deficiencies as part of their risk management process
  • Two added objectives for eligible providers (EP) and eligible hospitals, in accordance with recommendations from the Health Information Technology Policy Committee:
  1. Identify and provide condition-specific patient education resources
  2. Record advance directives for patients 65 years of age and older
  • A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, pursuant to the Continuing Extension Act of 2010
  • Inclusion of critical access hospitals within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid

Next steps for eligible hospitals and EPs

Ruelas said that entities will likely need to revisit their policies to differentiate the timelines associated with requests for electronic copies of patients’ health information versus those for hardcopies.

HHS also clarified that only information that an eligible hospital or clinician has available electronically must be provided to the patient—not all paper records.

Blumenthal called the criteria “ambitious but achievable” in striding toward President Obama’s goal of all entities moving to EHRs by 2014.

Each clinician is eligible for up to $44,000 through Medicare and $63,750 through Medicaid as incentives for achieving meaningful use.

The American Health Information Management Association (AHIMA) said paper records fail to meet the demands of today’s healthcare decision-making, and it is “ready to ensure the proper implementation of electronic health records.”

“With this last hurdle behind us, the health information management profession can move forward with final preparations for implementation,” Rita K. Bowen, president of AHIMA’s board of directors, said in a statement.

Today’s final rules are the third and fourth in a series of rules released in the past month under HITECH. ONC published a final rule June 24 establishing a temporary certification program for health information technology. The Office for Civil Rights (OCR), enforcer of the HIPAA privacy and security rules, released a proposed rule July 8 that would strengthen and expand privacy, security, and enforcement protections under HIPAA.

Editor’s note: For more information, visit the HHS website.

A CMS/ONC fact sheet on the rules is available at http://www.cms.gov/EHRIncentivePrograms/.

A technical fact sheet on ONC’s standards and certification criteria final rule is available at http://healthit.hhs.gov/standardsandcertification.

Categories : EHRs, Meaningful use
Comments (0)

EHR final rule is released

Posted by: | Comments (0)
Email This Post Print This Post

The Office of the National Coordinator for Health Information Technology today released the EHR certification final rule, which outlines the program that certifies hospitals are meeting EHR “meaningful use” requirements in order to obtain incentive dollars.

This final rule establishes a temporary certification program for the purposes of testing and certifying health information technology.

Categories : EHRs, Meaningful use
Comments (0)