HITECH Stage 2 Begins: The ProvisionsPrivacy, Security Requirements for New Phase of EHR Incentives
Despite the government shutdown, Stage 2 of the HITECH Act financial incentive program for electronic health records, which includes new security and privacy requirements, kicks off for hospitals on Oct. 1 as planned, federal officials confirm. Stage 2 is slated to begin for physicians and other clinicians on Jan. 1, 2014.
To qualify for more incentives in Stage 2 of the program, which is providing billions of dollars worth of payments through Medicare and Medicaid, eligible healthcare providers and hospitals must meet a host of "meaningful use" requirements, including several that involve security and privacy components. They also must use EHR software certified to meet new Stage 2 criteria, includuing specific encryption capabilities.
Many healthcare associations have asked federal authorities to give hospitals and clinicians more time to attest to qualifying for Stage 2 incentives by fine-tuning the attestation timeline, making Stage 2 last longer or delaying the start of Stage 3, now slated to start in 2016.
But regardless of whether the timeline changes, one key way to prepare for Stage 2 is to complete a thorough HIPAA security risk analysis, including a careful assessment of how to apply encryption. A risk analysis, "will help providers identify the potential areas of their administrative, physical and technical environment that might be vulnerable and that they might need to mitigate," says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, which coordinates development of HITECH guidelines.
(Despite the government shutdown, online state health insurance exchanges went live for open enrollment Oct. 1 under the Affordable Care Act, also known as Obamacare. But the Department of Health and Human Services furloughed about half of its staff, virtually shutting down certain units, including ONC and the Office for Civil Rights, which enforces HIPAA (see: Two HHS Units Hit Hard by Shutdown). Among those who will be at work at HHS through the shutdown are health insurance exchange-related employees, ranging from call center operators to computer technicians and administrators who are responsible for the roll out of the program.)
Certified Software Requirements
To help prevent breaches, especially those involving lost or stolen unencrypted devices, the EHR software certification rule for Stage 2 requires that the software automatically encrypt data if it's stored on end-user devices, including mobile gear such as laptop computers and smart phones.
"EHR software must encrypt protected health information at rest when on a user device and at the end of the user session," explains security expert Kate Borten of The Marblehead Group consulting firm. "Alternatively, mobile apps can be designed not to leave any residual PHI on the user device at the end of the session."
Borten says these new requirements amount to "prudent security design" to address risks. "Mobile apps and mobile devices - usually owned by the individual, not the organization - are a big risk ... among healthcare providers."
To be certified for Stage 2, EHRs also must be able to support corrections and amendments to patient records in compliance with individual rights under the HIPAA privacy rule.
Among optional requirements for certified EHR software in Stage 2 is accounting of disclosures capabilities that would allow providers to give patients a record of time, dates and names of those who accessed their records, as well as a description of that access. The Privacy and Security Tiger Team of the HIT Policy Committee that advises ONC held a virtual hearing on Sept. 30 on the accounting of disclosures issue.
Meaningful Use Requirements
To prove they meet the Stage 2 requirement for meaningful use of EHRs, hospitals and physicians must attest to conducting a risk assessment that specifically describes protection of data at rest either through encryption or another reasonable and appropriate method, which they must document.
Under Stage 2, physicians and hospitals also must demonstrate that 5 percent of their patients are taking advantage of the opportunity to view, download or transmit to third parties their electronic health information. To meet the requirement, organizations can, for example, provide patients with access to their health information through a secure portal.
In addition, clinicians must demonstrate that 5 percent of their patients are using secure messaging to communicate with them about relevant health information.
Also, Stage 2 emphasizes secure health information exchange among providers to improve care coordination. That includes new requirements for the electronic exchange of summary of care documents among providers for more than half of transitions of care and referrals.
Citing multiple regulatory compliance burdens, a long list of healthcare industry groups, as well as several members of Congress, in recent weeks have been pushing for an extension of the amount of time that healthcare providers have to meet the Stage 2 requirements. They point out that healthcare organizations also are scrambling to comply with the new HIPAA Omnibus Rule as well as the switch to ICD-10 codes for medical billing, which is required next year.
Among groups pushing for a delay or extension of Stage 2 are the College of Healthcare Information Management Executives, American Hospital Association, American Medical Association, American College of Physicians, the American Academy of Family Physicians, the Health Information and Management Systems Society, the National Rural Health Association and the Medical Group Management Association.
Some of the groups also argue that many healthcare providers, especially those that just recently met the requirements for Stage 1 of the HITECH program, are not ready to implement EHR software that's been certified to meet Stage 2 requirements.
"Many providers simply will not have the time to upgrade software in a safe, responsible manner to meet [Stage 2] meaningful use criteria," says Sharon Canner, senior director of public policy at the College of Healthcare Information Management Executives.
Borten points out that EHR vendors also bear the burden of Stage 2 security compliance. "For example they must design the EHR with [new] capabilities, many of which will be transparent to the provider," she says. Those "transparent" features automatic encryption function for data stored on end-user devices as well as not permitting the EHR system to modify logs, she notes.