HITECH Stage 2 Rules Unveiled

EHR Incentive Program Regulations Address Encryption

By Howard Anderson, August 23, 2012.

The two final rules for Stage 2 of the HITECH Act’s electronic health record incentive program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk Aug. 23. Both rules from the Department of Health and Human Services are slated to be officially published in the Federal Register on Sept. 4.

The meaningful use rule spells out the requirements for how hospitals and physicians must use EHRs to qualify for a second round of incentives, beginning in 2014. The software certification rule spells out the requirements for EHR applications that qualify for Stage 2.

The HITECH Act incentive program, part of the economic stimulus package, is providing billions of dollars in incentives to hospitals and physician groups that meet the requirements for meaningfully using EHRs. The incentives are slated to be paid out in several stages.

Meaningful Use

The Stage 2 meaningful use rule, developed by HHS’ Centers for Medicare and Medicaid Services, requires that participants conduct a risk assessment, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

“We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA,” an explanation within the rule states. “We only emphasize the importance of a [physician/other professional] or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The Privacy and Security Tiger Team, an advisory group that recommended the provision, said it was necessary to help call attention to the importance of protecting “data at rest” because so many major health information breaches have involved the loss or theft of unencrypted devices that stored patient information.

The meaningful use rule “continues to reaffirm the importance of doing security assessments and mitigation,” says Farzad Mostashari, M.D., who heads the HHS Office of the National Coordinator for Health IT. “People really rely legally, and in terms of the professional ethos, on an expectation that their providers will keep their information confidential and secure. And as they’re transitioning to electronic health records, they have to make sure they’re following all the administrative and physical safeguards, as well as technical safeguards.”

Software Certification

The Stage 2 software certification rule, developed by Mostashari’s office, requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

“The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops,” the rule states. The rule also states that locally stored “is intended to mean the storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches) and not an individual or isolated user action to save or export a file to their personal electronic storage media. … We have clarified that in this scenario, the EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.”

The rule points out that an EHR technology developer would not have to demonstrate that its EHR technology can encrypt electronic health information locally stored on end-users devices “if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops.”

(Marianne Kolbasuk McGee contributed to this story).

Patients worried about medical records going digital

Many Americans — 85% in a new survey — report having fears about the privacy of their records as more physician practices adopt EHRs.

By PAMELA LEWIS DOLAN, amednews staff. Posted Aug. 20, 2012.

It took some time to get a majority of physicians in the U.S. to agree that it would be beneficial to implement electronic health records in their practices. Now, a survey finds, the most skeptical audience for EHRs is patients.

A survey of more than 2,100 patients by Xerox found that only 26% want their medical records to be digital, down two percentage points from a year ago. Only 40% believe EHRs will result in better, more efficient care. And 85% expressed concern about digital records. Their main worries: privacy and security of their information.

When asked what, specifically, worries them about EHRs, respondents said they were concerned that their information could be stolen by a hacker (63%), the files could be lost, damaged or corrupted (50%), their personal information could be misused (51%), or a power outage or computer problem could prevent doctors from accessing their information (50%). Fifteen percent said they had no worries.

There are many things in medicine that patients tolerate but don’t necessarily like. If most physicians will be electronic soon anyway, some physicians may wonder why it’s important to convince their patients that EHRs are a good thing instead of just letting them learn to live with them.

As the health care system shifts from one that focuses on acute care and treating patients who are sick to one that promotes wellness, “We need the patients as active participants,” said Philip Payne, PhD, chair of the Ohio State University College of Medicine’s Dept. of Biomedical Informatics. The EHR is an important tool to engage patients, he said.

Despite the benefits an EHR might bring, major data breaches are announced on virtually a weekly basis. For example, in the summer of 2012, a computer containing the medical information of 2,500 patients from the Stanford (Calif.) Hospital & Clinics and the School of Medicine was reported stolen. In Connecticut, information on more than 7,461 VNA Healthcare patients and 2,097 Hartford Hospital patients was lost when a computer belonging to a data analysis vendor was stolen. Beth Israel Deaconess Medical Center in Boston announced that the health information of 3,900 patients was put at risk when a physician’s personal laptop was stolen.

How to give assurance

The main message physicians should be spreading to patients who are concerned about breaches is that “people do bad things, whether it’s in paper form or electronic form,” said Mary Griskewicz, senior director of ambulatory health information systems for the Healthcare Information and Management Systems Society.

Michael Hobaugh, MD, PhD, chief of medical staff at La Rabida Children’s Hospital in Chicago, said if patients express concerns about data safety, physicians can tell them that there are many safety features of an EHR that patients never had with paper.

“The biggest assurance that patients have regarding electronic medical records is that anytime anybody looks at something or prints something, there is a record of who did it,” Dr. Hobaugh said. “That was not true of paper charts.”

Christine Bechtel, vice president of the National Partnership for Women and Families, said a survey her organization conducted, similar to the one by Xerox, found respondents rating EHRs higher than paper across the board in various safety and quality measures. She said the survey, released in February, shows that even if patients worry about their own information, many are showing confidence in EHRs in general.

Griskewicz said physicians need to be educated on how and when to engage consumers when it comes to technology adoption. HIMSS launched the HIMSS eConnecting with Consumers Committee this year, whose focus is to provide physicians with tools and education surrounding patient engagement and technology.

Many patient concerns stem from the fact that the value of EHRs has not been made clear to patients, Payne said.

“We really have to figure out how we make the EHR a focal point of collaboration between patients and members of multidisciplinary care teams rather than just a thing that’s in the room that we have to use to document so we can bill,” he said.

What patients think about EHRs

A survey found that patients have concerns when it comes to electronic health records, mainly about risks to their private information.

63%: With EHRs my information could be stolen by a hacker.
51%: My personal information could be misused.
50%: Digital medical records could be lost, damaged or corrupted.
40%: Digital records mean better, more efficient care.
31%: I feel I am adequately informed about when and how my medical records are used.
26%: I want my records to be digital.
26%: EHRs have improved my interactions with my physician office.
24%: My doctor involved me in the conversion from paper to electronic.
21%: I expect EHRs to improve the quality of service I receive.
14%: I think my health care provider is technically savvy enough to use EHRs.

Source: Third annual electronic health records survey, Xerox, July

Covered Entity is the Only One with “Egg on Their Face”

Written by: John on his longstanding blog – EMR and HIPAA

When I first started writing this blog about six years ago, I named it EMR and HIPAA. I was working to implement an EMR at that time (this was well before EHR became in vogue) and I knew that HIPAA was a major talking point in healthcare.

Over time I’ve learned that doctors care enough about HIPAA to make sure that they don’t hear about it again. Up until now, that’s worked pretty well for most doctors. There haven’t been many HIPAA lawsuits and the government has mostly only investigated reported incidents.

We started to see a shift in this with the passing of the HITECH act which many described as giving “teeth” to HIPAA. I think we’re just now starting to see some of those teeth coming to bear with things like the OCR audits that 150 HIPAA covered entities will experience this year. That’s still a pretty small number, but the experience of those 150 is teaching us and the government a lot about areas where healthcare institutions have done a good job with privacy and security and where they likely are weak.

While at HIMSS I had the pleasure to have a brief conversation with CynergisTek CEO and chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan. I love talking with people like Mac since he is an absolute domain expert in the areas of privacy and security in healthcare. You just start him talking and from memory he’s pouring out his knowledge about these important and often overlooked topics. I loved what he had to say so much that I asked him if he’d do a series of blog posts on the OCR audits which I could publish on EMR and HIPAA. He said he was interested and so I hope we’re able to make it happen.

One simple thing that Mac McMillan taught me in our admittedly brief conversation was the changing role of the business associate in healthcare. In the past, most covered entities kind of hid behind their business associates. Many did little to verify or keep track of the policies and procedures employed by their business associates. With the new HITECH rules for disclosure of breaches and the OCR audits, covered entities are going to have to keep a much better eye on their business associates.

Mac then pointed out to me that the reason covered entities have to take on more responsibility is that they’re the ones that are going to be held responsible and take the blunt of the problem if their business associate has a privacy or security issue. I see it as the Covered Entity will be the one with Egg on their Face.

I don’t think we have to take this to an extreme. However, there’s little doubt that covered entities could do a much better job evaluating the privacy and security of their business associates and hold them to a much higher standard. If they aren’t, I wouldn’t want to be there for the OCR audit with them.