On Wednesday, December 30th, HHS released its Interim Final Rule on Meaningful use. This rule is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs.
HHS Issues Interim Final Rule on Meaningful Use of Certified Electronic Health Records
On Wednesday, December 30th, the U.S Department of Health and Human Services (HHS) released its Interim Final Rule on Meaningful use. This rule is applicable to covered entities who chose to participate in the Medicare and Medicaid EHR Incentive Programs. Essentially, healthcare providers must prove that they are using the EHRs and meet HHS’s standards of meaningful use in order to receive reimbursement for implementing the EHR system.
Stage 1 (starting in 2011): Focused on electronically capturing health information, implementing clinical decision support tools to facilitate disease and medication management, and reporting clinical quality measures and public health information. Note that in this stage electronic protected health information (PHI) is being captured and stored, and as a result, must be secured. It is this specific information that must be protected from security breaches.
Stage 2 (starting in 2013): Focused on using captured information to improve care, electronic transmission of diagnostic test results, and computerized provider order entry (CPOE).
Stage 3 (starting in 2015): Focused on decision support and improvements in quality and safety.
Role of Security & Privacy in Meaningful Use
In general, HHS has specifically included encryption as a requirement for a Certified EHR system (only Certified EHR systems are eligible for cost reimbursement). The inclusion of encryption in meaningful use is indicative of the Federal government’s recognition that encryption is a critical technology in securing protected health information (PHI).
Certified EHRs must be able to provide the patient an electronic copy of their health information upon their request. This information must be provided within 96 hours from the time the provider obtains the information, such as lab results, for example. This patient information must secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192, or 256 bit encryption key.
Certified EHRs must protect electronic health information by implementing controls and encyption, such as:
- Assigning a unique user name for each user
- Encrypt and decrypt health information for backups, removable media, etc.
- Event recording such as deletion of records
- Audit review log
- Systems to ensure health information has not been altered using a hash algorithm
- Record disclosures made for treatment
- Ensure identity management is in place
Systems outside of Certified EHRs
As a matter of policy HHS has decided NOT to dictate standards on privacy and security in the context of meaninful use for systems other than Certified EHRs. In other words, they acknowledge that there are other systems that are part of the electronic health IT ecosystem, such as backup systems, hard drives, removable media, domain name systems (DNS), time servers (NNTP), etc. They acknowledge that these systems should be protected. However, for the purposes of the scope of the ruling they decided not to dictate standards or requirements beyond those for the actual EHR system.
Application of HIPAA Privacy and Security Rule
HHS took the time to reiterate that using a Certified EHR “does not change existing HIPAA Privacy Rule or Security Rule requirements, guarantee compliance with those requirements, or absolve an eligible professional, eligible hospital, or other health care provider who adopts Certified EHR Technology from having to comply with any applicable provision of the HIPAA Privacy or Security Rules.
This essentially means that you must still consider the security of systems outside the Certified EHR system and, if necessary, secure these systems. Implementing a Certified EHR system does not absolve your organization from the HIPAA Privacy and Security Rules. They go on further to say:
“While the capabilities provided by Certified EHR Technology may assist an eligible professional or eligible hospital in improving their technical safeguards in order to meet some or all of the HIPAA Security Rule’s requirements or influence their risk analysis, the use of Certified EHR Technology alone does not equate to compliance with the HIPAA Privacy or Security Rules.
Make sure you look at out healthcare IT system holistically. Implementing a Certified EHR is only part of the overall security equation in your organization.