The words "meaningful" and "use" are undoubtedly on the lips of many a CIO as 2014 approaches and brings with it stage 2 of the federal EHR incentive programs, and especially in light of the recent omnibus HIPAA privacy and security rule. Final requirements outlining criteria for the certification of EHR technology for stage 2 meaningful use were published in September 2012. Meaningful use under the stage 1 criteria, which focused on data capturing and sharing in 2011 and 2012, must have been achieved before providers can move on to stage 2.
Among the stage 2 criteria is specific detail about data encryption required for EHR certification. Core measure 7 of the stage 2 eligible hospital and critical access hospital (CAH) measures outlines several key areas:
- Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in [certified EHR technology] CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3).
- Eligible hospitals and CAHs must conduct or review a security risk analysis of [CEHRT], including addressing encryption/security of data, and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review.
- Eligible hospitals and CAHs are not required to report to CMS or the states on specific data encryption methods used. However, they are required to address the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a) (2)(iv) and 45 CFR 164.306(d)(3).
Other stage 2 encryption requirements include:
- Protecting patient health information with at least a symmetric, 128-bit fixed-block cipher algorithm capable of using a 128-, 192-, or 256-bit encryption key when furnishing electronic copies of patient health information.
- Developing a username for each user.
- Encrypting and decrypting health information when using removable media.
Changes on the horizon: Omnibus HIPAA rule
On Jan. 17, 2013, the Department of Health and Human Services' Office for Civil Rights announced the new omnibus HIPAA rule intended to "improve privacy protections and security safeguards for consumer health data."
Four final rules covering a wide range of HIPAA-related issues are included in the omnibus rule, chief among them being the increased compliance responsibility placed on business associates in protecting health information and reporting breaches. Previously, the rules focused on health care providers and health plans.
The OCR's "significant harm" standard, in place since the interim final breach notification rule was released in 2009, has been replaced with a "low probability" standard. This puts the onus on covered entities and business associates to conduct formal risk assessments for breach notifications even if they don't believe the breach is significant. Penalties for noncompliance will be assessed within a tiered structure based on the extent of negligence, and can reach a maximum of $1.5 million per violation.
The HIPAA rule could mean significant changes to the way contractors and subcontractors treat data encryption. EHR vendors only have to be able to show that they encrypt the data that is stored on an endpoint device, or show that they don't allow the saving of information to a device. However, the increased responsibility placed on business associates includes contractors and subcontractors.
All about incentives
Under the HITECH Act, incentive payments are available to eligible health care professionals and hospitals that adopt certified EHR technology and demonstrate meaningful use of certified technology. In effect, these are reimbursement payments to help defray -- or even cover in their entirety -- providers' upfront costs to meet EHR certification requirements.
It must be noted that providers are eligible for reimbursement only if they use certified EHR systems.
Supporting EHR encryption
CIOs will take different methods to achieve EHR compliance depending on the size of the organization; the age of the existing system to be updated, upgraded, or replaced outright; and, of course, whether the objective is qualifying for incentives.
When it comes to data encryption alone, there are a number of questions CIOs need to consider:
- Can simple software updates be made to an existing system, or is it necessary to start from scratch?
- Is patient data currently encrypted, and if so, does encryption extend to backup storage and removable media?
- What would be involved in a data migration strategy?
- Is current data being stored on on-site servers, and if so, is it time to consider cloud-based storage?
- Is there an IT security resource that is already qualified to do the work, or is it necessary to research new resources?
- Can a new resource be leveraged for budget purposes and integrated with other products?
- What is the cost involved in ongoing IT and/or training support after implementation?
The first step in figuring out how to proceed is to perform an audit of your current system and processes in combination with a risk analysis. Once you have identified your objectives in the context of your current circumstances, it's time to consider how to move forward.
But always remember this: The goal is not just EHR certification and compliance. It is mitigated risk in a continually volatile environment, especially given the new tiered breach-violation figures. Just consider a few recent HIPAA breaches:
- Emory Healthcare in Atlanta misplaced 10 backup disks containing information for more than 315,000 patients. Costs are expected to climb beyond $3 million.
- California's Sutter Health had a computer stolen that contained confidential information on 4.2 million patients. A class action lawsuit was filed in late 2011 for $1 billion.
- Tricare's data breach in 2011 affected 4.9 million patients from the past 20 years. Unencrypted backup tapes were stolen while in transit from one work site to another. In addition to fines, a class action lawsuit is asking $1,000 per patient, for a total of $4.9 billion.
The Office of the National Coordinator for Health Information Technology (ONC) lists products certified for meaningful use. Per the ONC, each complete EHR and EHR module listed on the website has been tested and certified by an ONC-Authorized Testing and Certification Body.
Preparing for EHR stage 2 and beyond
By most accounts, implementing stage 1 requirements and preparing for stage 2 is no easy undertaking, even considering just the time involved and manpower required. Add in the expense of new systems, the implementation of new security measures, and the training that will be needed for new compliance protocols, and expenses increase.
As expenses increase, so does anxiety. However, the Medicare and Medicaid incentives that offset upfront costs help, as does the enhanced security that can help lower the probability of HIPAA breaches. Success is as much in mitigating the opportunities for failure as it is implementing new systems.
Preparation and continuity are keys to successful EHR integration, which begins with analyzing what needs to be changed but doesn't end at implementation.
Here are some tips for succeeding with EHRs:
- Do a gap analysis. Looking at where you are now versus where you need to be can provide a clear path.
- Identify and prioritize implementations.
- Research. You'll know the solution that works best for you only by examining all the possibilities.
- Consider the upsides of an upfront spend. No one wants to pay fines and be faced with a lawsuit because a backup disk or laptop was compromised.
- Train the workforce on new security measures. Your security is only as good as your least-informed team member.
- Establish policies and procedures in concert with compliance.
- Test and retest compliance procedures and readiness, and tinker where necessary.
- Investigate customization opportunities that further prepare your team for ongoing compliance.
Making your compliance team part of the solution means they won't part of the problem. Consult them early and often.