Written by Mac McMillan, FHIMSS, CISM | February 15, 2013

The final statement in the Attestation that Healthcare providers have to sign says it all. “I certify that the foregoing information is true, accurate and complete. I understand the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this attention I am a claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment, may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties.” And the Federal government is beginning to get serious about making sure those statements are indeed accurate. If they are not, it puts the organization at risk of having to return incentive payments received, as some have had to do already, or worse face additional fines or criminal penalties. At a time when the industry is struggling with small operating margins, the cost of implementing CEHRT and other technologies, and additional compliance related costs we can ill afford to have this happen.

So what is required to meet the privacy and security requirements of Meaningful Use for Stage 1? Essentially organizations must meet Core Measures 12 and 15 and be able to demonstrate three things. The first is that they have acquired and implemented a Certified Electronic Health Record Technology (CEHRT) in a meaningful way. Meaningful way, as it relates to security, is defined as fully implemented and using all of the security functionality (technical controls) that the system offers. Second, they must demonstrate the ability to provide access to the patient’s medical record and information upon request in accordance with Core Measure 12 and the Privacy Rule requirements around proper uses and disclosures. Third, they must conduct or review a risk analysis in accordance with the original HIPAA Security Rule requirement prior to attesting and address remediation of gaps identified during the attestation period. The reason the requirement specifically says “conduct or review” is because if the organization has already completed a risk analysis, which they should have to meet HIPAA compliance, then they are not required to conduct a full blown risk analysis, but simply review the one they have already completed taking into consideration for their CEHRT system. Essentially there is nothing in Meaningful Use Stage 1 that is not already required by HIPAA.

Meaningful Use Stage 2 builds on Stage 1 and makes minor changes and additions to the security requirements, but again it does not change the basic requirements specified in HIPAA. For Stage 2 the Risk Analysis requirement is broadened to include documentation of encryption use and it becomes an annual requirement in conjunction with the attestation year. The basic requirement however remains the same, conduct or review a risk analysis in accordance with the HIPAA Security Rule standard. Stage 2 adds the requirement for both Eligible Providers (EP) and Hospitals (EH) to demonstrate the ability to communicate securely with patients and provide secure access to their medical information. For EPs there is a measurable component to this requirement for a small percentage of patients to use secure communications with them. Stage 2 also rearranges some of the functionality requirements of the CEHRT, but it does not change them. The basic technical controls called for in the HIPAA Security Rule are still required. Procedurally there are a couple of changes, such as identifying specifically who can activate the Emergency Access Procedure, as opposed to simply having an emergency access procedure. Again there is nothing required here that is not already present in HIPAA.

In the early part of 2012 the General Accounting Office conducted a review and called for better oversight of incentive payments under Meaningful Use, citing that CMS was not actively verifying that healthcare organizations applying for such funds were providing accurate information during the attestation process. In response CMS launched an audit program with an outside audit firm to collect information concerning attestations. Coincidentally the HHS OIG also launched a survey, which by the nature of its questions regarding CEHRT implementation and barriers to, also provides insight into the accuracy of those attestations. Many are already saying that the audits do not go far enough to verify these attestations. Audits in the future may take on more of an OCR HIPAA audit like approach involving on-site review, interviews as well as documentation review. The point is that this is a serious responsibility with potentially serious consequences. Organizations need to ensure that security readiness is an integral component of their Meaningful Use compliance projects. The good news is that this should not be a major challenge if an organization is already meeting their HIPAA Security Rule requirements. The Office of the National Coordinator for Health IT has produced an excellent guide to help organizations understand and meet these requirements.

Guide to Privacy and Security of Health Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf