CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.
HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.
Stage 3 further protects patient information
One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.
The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.
In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.
It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed. For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.
“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”
It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.
A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.
Stage 3 works with HIPAA regulations
In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.
“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”
As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:
For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.
CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”
For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”
However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.
Working toward exchange securely
The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.
While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.